Moderate severityOSV Advisory· Published Dec 17, 2025· Updated Dec 17, 2025
DoS in Calls plugin via malformed UTF-8 in WebSocket request
CVE-2025-12689
Description
Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-plugin-callsGo | < 1.11.0 | 1.11.0 |
Affected products
3- Range: @mattermost/client@10.11.0, @mattermost/client@10.12.0, @mattermost/client@11.0.4, …
- ghsa-coords2 versionspkg:golang/github.com/mattermost/mattermost-plugin-callspkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 1.11.0+ 1 more
- (no CPE)range: < 1.11.0
- (no CPE)range: < 0.0.20251230T014957-150000.1.134.1
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.