Moderate severityOSV Advisory· Published Dec 17, 2025· Updated Dec 17, 2025
CSRF Allows Call Initiation and Message Delivery
CVE-2025-62190
Description
Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 and Mattermost Calls versions <=1.10.0 fail to implement CSRF protection on the Calls widget page which allows an authenticated attacker to initiate calls and inject messages into channels or direct messages via a malicious webpage or crafted link
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-plugin-callsGo | < 1.10.0 | 1.10.0 |
Affected products
3- Range: @mattermost/client@10.11.0, @mattermost/client@10.12.0, @mattermost/client@11.0.4, …
- ghsa-coords2 versionspkg:golang/github.com/mattermost/mattermost-plugin-callspkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 1.10.0+ 1 more
- (no CPE)range: < 1.10.0
- (no CPE)range: < 0.0.20251230T014957-150000.1.134.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-gmx5-frv9-9m9fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-62190ghsaADVISORY
- github.com/mattermost/mattermost-plugin-calls/commit/429cfaf2a301a369414d1ca18a3364e85901c8d1ghsaWEB
- github.com/mattermost/mattermost-plugin-calls/releases/tag/v1.10.0ghsaWEB
- mattermost.com/security-updatesghsaWEB
News mentions
0No linked articles in our index yet.