CVE-2025-12689: Mattermost fails to check Websocket request for proper UTF-8 format potentially crashing Calls plug-in

December 17, 2025 (updated December 20, 2025)

Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request.

References

github.com/advisories/GHSA-j5vq-62gr-8v3r
github.com/mattermost/mattermost
github.com/mattermost/mattermost-plugin-calls/commit/f68b41980e1274e05cf91c687e2af1a73c5e36ca
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2025-12689

Code Behaviors & Features

Detect and mitigate CVE-2025-12689 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →