Plattform
go
Komponente
github.com/mattermost/mattermost-plugin-calls
Behoben in
11.0.5
10.12.3
10.11.7
1.10.0
CVE-2025-62190 details a Cross-Site Request Forgery (CSRF) vulnerability within the Calls Widget plugin for Mattermost. This vulnerability allows an attacker to potentially trigger unwanted actions on behalf of an authenticated user, leading to unauthorized modifications or actions within the Mattermost instance. The vulnerability impacts versions of the Calls Widget plugin prior to 1.10.0, and a fix is available in version 1.10.0.
A successful CSRF attack exploits the trust a website has in a user's browser. In this case, an attacker could craft a malicious request that, when triggered by a logged-in Mattermost user, could perform actions such as initiating calls, modifying call settings, or potentially accessing sensitive information associated with the user's calls. The blast radius is limited to the actions that can be performed through the Calls Widget interface, but the impact can be significant if an attacker gains control over critical call functionalities. This vulnerability highlights the importance of proper CSRF protection for all user-facing components within Mattermost.
CVE-2025-62190 was publicly disclosed on 2025-12-30. There is currently no indication of active exploitation or inclusion on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet available, but the nature of CSRF vulnerabilities makes it likely that a PoC will emerge. The CVSS score of 4.3 (Medium) reflects the potential impact and relatively low complexity of exploitation.
Organizations heavily reliant on the Mattermost Calls Widget for internal or external communication are at increased risk. Specifically, deployments with limited security controls or those lacking robust CSRF protection mechanisms are particularly vulnerable. Teams using older versions of the Calls Widget plugin without regular security updates are also at significant risk.
• go / server: Examine Mattermost plugin logs for unusual call initiation requests or modifications to call settings. Look for requests originating from unexpected sources or with suspicious parameters.
journalctl -u mattermost -f | grep "Calls Widget"• generic web: Monitor Mattermost instance access logs for requests to the Calls Widget endpoints with unusual HTTP referer headers. A referer header not originating from the Mattermost domain could indicate a CSRF attempt.
curl -I <mattermost_calls_widget_url> | grep Refererdisclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-62190 is to upgrade the Mattermost Calls Widget plugin to version 1.10.0 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as adding CSRF tokens to all sensitive endpoints within the Calls Widget. While not a complete solution, this can significantly reduce the attack surface. Additionally, review Mattermost's security best practices for CSRF protection. After upgrading, confirm the vulnerability is resolved by attempting to trigger a call action via a crafted URL – the request should be rejected if CSRF protection is properly implemented.
Aktualisieren Sie Mattermost auf die neueste verfügbare Version. Die Versionen 11.0.5, 10.12.3, 10.11.7 und höher enthalten die Korrektur für diese CSRF-Schwachstelle. Weitere Details finden Sie in der Sicherheitsankündigung von Mattermost.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-62190 is a Cross-Site Request Forgery (CSRF) vulnerability in the Mattermost Calls Widget plugin, allowing attackers to perform actions on behalf of authenticated users.
You are affected if you are using the Mattermost Calls Widget plugin versions prior to 1.10.0. Upgrade immediately to mitigate the risk.
Upgrade the Mattermost Calls Widget plugin to version 1.10.0 or later. As a temporary workaround, implement CSRF tokens on sensitive endpoints.
There is currently no confirmed active exploitation of CVE-2025-62190, but the vulnerability's nature suggests potential for future exploitation.
Refer to the official Mattermost security advisories and release notes for detailed information and updates regarding CVE-2025-62190.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.