CVE-2025-61987 is a vulnerability identified in Japan Total System Co.,Ltd.'s GroupSession collaboration software, specifically in the Free edition prior to version 5.3.0, byCloud prior to 5.3.3, and ZION prior to 5.3.2. The root cause is the lack of origin validation in the WebSocket implementation used by these products. WebSockets are a protocol enabling persistent, full-duplex communication channels between clients and servers, commonly used for real-time chat applications. Without validating the origin header, the server cannot verify whether incoming WebSocket connection requests originate from trusted sources. An attacker can exploit this by hosting a crafted malicious webpage that initiates a WebSocket connection to the vulnerable GroupSession server. When a legitimate user visits this malicious page, the attacker may gain access to chat information transmitted over the WebSocket connection, leading to unauthorized disclosure of sensitive communication data. The vulnerability does not require any authentication or user interaction beyond visiting the malicious page, making it easier to exploit. The CVSS v3.0 base score is 5.3 (medium), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to confidentiality loss only. There are no known exploits in the wild as of the published date. The vendor has released fixed versions (5.3.0 and later) that presumably implement proper origin validation to mitigate this issue.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive chat communications within GroupSession environments. Organizations relying on GroupSession for internal collaboration or client communications may suffer confidentiality breaches if users access malicious web content while connected to the vulnerable system. This could lead to exposure of proprietary information, personal data, or strategic discussions, potentially violating GDPR and other data protection regulations. Although the vulnerability does not affect data integrity or availability, the confidentiality impact alone can damage organizational trust and compliance posture. The ease of exploitation (no authentication or user interaction beyond visiting a page) increases the risk, especially in environments where users may access untrusted web content. The absence of known exploits currently reduces immediate risk but does not eliminate the potential for future attacks. Organizations with remote or hybrid workforces using GroupSession are particularly vulnerable due to increased exposure to web-based threats.

European organizations should prioritize upgrading all affected GroupSession products to versions 5.3.0 or later (Free edition), 5.3.3 or later (byCloud), and 5.3.2 or later (ZION) to ensure the vulnerability is patched. In addition to patching, administrators should implement strict WebSocket origin validation policies to reject connections from untrusted or unknown origins. Network-level controls such as Web Application Firewalls (WAFs) can be configured to monitor and block suspicious WebSocket traffic. User education campaigns should warn about the risks of visiting untrusted websites while connected to internal collaboration tools. Organizations should also audit their GroupSession deployments to identify any exposed WebSocket endpoints accessible from untrusted networks and consider network segmentation to limit exposure. Monitoring and logging WebSocket connection attempts can help detect potential exploitation attempts. Finally, ensure compliance with data protection regulations by reviewing data handling and breach response procedures related to chat data.