CVE-2025-62190: Mattermost has CSRF vulnerability via Calls Widget page
(updated )
Mattermost versions 11.0.x < 11.0.4, 10.12.x <= 10.12.2, 10.11.x < 10.11.6 and Mattermost Calls versions < 1.10.0 fail to implement CSRF protection on the Calls widget page which allows an authenticated attacker to initiate calls and inject messages into channels or direct messages via a malicious webpage or crafted link.
References
- github.com/advisories/GHSA-gmx5-frv9-9m9f
- github.com/mattermost/mattermost-plugin-calls
- github.com/mattermost/mattermost-plugin-calls/commit/429cfaf2a301a369414d1ca18a3364e85901c8d1
- github.com/mattermost/mattermost-plugin-calls/releases/tag/v1.10.0
- mattermost.com/security-updates
- nvd.nist.gov/vuln/detail/CVE-2025-62190
Code Behaviors & Features
Detect and mitigate CVE-2025-62190 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →