Origin Validation Error in Chatwoot Widget by Chatwoot
CVE-2025-12245

6.9MEDIUM

Key Information:

Vendor

Chatwoot

Status
Chatwoot
Vendor
CVE Published:
27 October 2025

What is CVE-2025-12245?

A vulnerability has been identified in the Chatwoot Widget, specifically in the initPostMessageCommunication function located in the app/javascript/sdk/IFrameHelper.js file. This flaw allows for improper validation of the baseUrl argument, leading to potential origin validation errors. Such vulnerabilities can be exploited remotely by an attacker, enabling unauthorized access or actions within the application. Although the vendor was approached regarding this issue, there has been no response to date. Users are advised to take preventive measures until a patch is released.

Affected Version(s)

chatwoot 4.0

chatwoot 4.1

chatwoot 4.2

References

https://vuldb.com/?id.329916
vdb-entrytechnical-description
https://vuldb.com/?ctiid.329916
signaturepermissions-required
https://vuldb.com/?submit.673800
third-party-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

fpatrik (VulDB User)
JSON
.