Primary

Context

Mattermost WebSocket UTF-8 Validation Vulnerability Leading to Calls Plugin Crash

Vulnerability

Patched

A vulnerability exists in Mattermost versions 11.0.x prior to 11.0.4, 10.12.x prior to 10.12.2, and 10.11.x prior to 10.11.6. These versions do not properly validate the UTF-8 format of WebSocket request fields. This oversight allows an attacker to send malformed requests that can crash the Calls plugin.

Impact

Exploitation of this vulnerability leads to a crash of the Calls plugin.

Remediation

Users can upgrade to Mattermost versions 11.1.011.0.510.12.310.11.7 to address this vulnerability.

Added: Dec 17, 2025, 7:31 PM

Updated: Dec 17, 2025, 7:31 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

7.7

relevance

1.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

0.6

exploitability

5.2

remediation

7.7

relevance

1.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost WebSocket UTF-8 Validation Vulnerability Leading to Calls Plugin Crash

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating