Plataforma
go
Componente
github.com/mattermost/mattermost-plugin-calls
Corrigido em
11.0.5
10.12.3
10.11.7
1.10.0
CVE-2025-62190 details a Cross-Site Request Forgery (CSRF) vulnerability within the Calls Widget plugin for Mattermost. This vulnerability allows an attacker to potentially trigger unwanted actions on behalf of an authenticated user, leading to unauthorized modifications or actions within the Mattermost instance. The vulnerability impacts versions of the Calls Widget plugin prior to 1.10.0, and a fix is available in version 1.10.0.
A successful CSRF attack exploits the trust a website has in a user's browser. In this case, an attacker could craft a malicious request that, when triggered by a logged-in Mattermost user, could perform actions such as initiating calls, modifying call settings, or potentially accessing sensitive information associated with the user's calls. The blast radius is limited to the actions that can be performed through the Calls Widget interface, but the impact can be significant if an attacker gains control over critical call functionalities. This vulnerability highlights the importance of proper CSRF protection for all user-facing components within Mattermost.
CVE-2025-62190 was publicly disclosed on 2025-12-30. There is currently no indication of active exploitation or inclusion on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet available, but the nature of CSRF vulnerabilities makes it likely that a PoC will emerge. The CVSS score of 4.3 (Medium) reflects the potential impact and relatively low complexity of exploitation.
Organizations heavily reliant on the Mattermost Calls Widget for internal or external communication are at increased risk. Specifically, deployments with limited security controls or those lacking robust CSRF protection mechanisms are particularly vulnerable. Teams using older versions of the Calls Widget plugin without regular security updates are also at significant risk.
• go / server: Examine Mattermost plugin logs for unusual call initiation requests or modifications to call settings. Look for requests originating from unexpected sources or with suspicious parameters.
journalctl -u mattermost -f | grep "Calls Widget"• generic web: Monitor Mattermost instance access logs for requests to the Calls Widget endpoints with unusual HTTP referer headers. A referer header not originating from the Mattermost domain could indicate a CSRF attempt.
curl -I <mattermost_calls_widget_url> | grep Refererdisclosure
Status do Exploit
EPSS
0.02% (percentil 5%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-62190 is to upgrade the Mattermost Calls Widget plugin to version 1.10.0 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as adding CSRF tokens to all sensitive endpoints within the Calls Widget. While not a complete solution, this can significantly reduce the attack surface. Additionally, review Mattermost's security best practices for CSRF protection. After upgrading, confirm the vulnerability is resolved by attempting to trigger a call action via a crafted URL – the request should be rejected if CSRF protection is properly implemented.
Atualize Mattermost para a última versão disponível. As versões 11.0.5, 10.12.3, 10.11.7 e superiores contêm a correção para esta vulnerabilidade CSRF. Consulte o anúncio de segurança de Mattermost para obter mais detalhes.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-62190 is a Cross-Site Request Forgery (CSRF) vulnerability in the Mattermost Calls Widget plugin, allowing attackers to perform actions on behalf of authenticated users.
You are affected if you are using the Mattermost Calls Widget plugin versions prior to 1.10.0. Upgrade immediately to mitigate the risk.
Upgrade the Mattermost Calls Widget plugin to version 1.10.0 or later. As a temporary workaround, implement CSRF tokens on sensitive endpoints.
There is currently no confirmed active exploitation of CVE-2025-62190, but the vulnerability's nature suggests potential for future exploitation.
Refer to the official Mattermost security advisories and release notes for detailed information and updates regarding CVE-2025-62190.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo go.mod e descubra na hora se você está afetado.