CVE-2025-12245

MEDIUM

Chatwoot < 4.7.0 - Origin Validation Error

Title source: rule

Description

A vulnerability was identified in chatwoot up to 4.7.0. This vulnerability affects the function initPostMessageCommunication of the file app/javascript/sdk/IFrameHelper.js of the component Widget. The manipulation of the argument baseUrl leads to origin validation error. Remote exploitation of the attack is possible. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Scores

CVSS v3 5.3
EPSS 0.0003
EPSS Percentile 8.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Classification

CWE
CWE-345 CWE-346
Status published

Affected Products (1)

chatwoot/chatwoot < 4.7.0

Timeline

Published Oct 27, 2025
Tracked Since Feb 18, 2026