Platform
go
Component
github.com/mattermost/mattermost-plugin-calls
Fixed in
11.0.5
10.12.3
10.11.7
1.10.0
CVE-2025-62190 details a Cross-Site Request Forgery (CSRF) vulnerability within the Calls Widget plugin for Mattermost. This vulnerability allows an attacker to potentially trigger unwanted actions on behalf of an authenticated user, leading to unauthorized modifications or actions within the Mattermost instance. The vulnerability impacts versions of the Calls Widget plugin prior to 1.10.0, and a fix is available in version 1.10.0.
A successful CSRF attack exploits the trust a website has in a user's browser. In this case, an attacker could craft a malicious request that, when triggered by a logged-in Mattermost user, could perform actions such as initiating calls, modifying call settings, or potentially accessing sensitive information associated with the user's calls. The blast radius is limited to the actions that can be performed through the Calls Widget interface, but the impact can be significant if an attacker gains control over critical call functionalities. This vulnerability highlights the importance of proper CSRF protection for all user-facing components within Mattermost.
CVE-2025-62190 was publicly disclosed on 2025-12-30. There is currently no indication of active exploitation or inclusion on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet available, but the nature of CSRF vulnerabilities makes it likely that a PoC will emerge. The CVSS score of 4.3 (Medium) reflects the potential impact and relatively low complexity of exploitation.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-62190 is to upgrade the Mattermost Calls Widget plugin to version 1.10.0 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as adding CSRF tokens to all sensitive endpoints within the Calls Widget. While not a complete solution, this can significantly reduce the attack surface. Additionally, review Mattermost's security best practices for CSRF protection. After upgrading, confirm the vulnerability is resolved by attempting to trigger a call action via a crafted URL – the request should be rejected if CSRF protection is properly implemented.
Update Mattermost to the latest available version. Versions 11.0.5, 10.12.3, 10.11.7 and later contain the fix for this CSRF vulnerability. See the Mattermost security advisory for more details.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-62190 is a Cross-Site Request Forgery (CSRF) vulnerability in the Mattermost Calls Widget plugin, allowing attackers to perform actions on behalf of authenticated users.
You are affected if you are using the Mattermost Calls Widget plugin versions prior to 1.10.0. Upgrade immediately to mitigate the risk.
Upgrade the Mattermost Calls Widget plugin to version 1.10.0 or later. As a temporary workaround, implement CSRF tokens on sensitive endpoints.
There is currently no confirmed active exploitation of CVE-2025-62190, but the vulnerability's nature suggests potential for future exploitation.
Refer to the official Mattermost security advisories and release notes for detailed information and updates regarding CVE-2025-62190.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.