CVE-2025-48937

matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. matrix-sdk-crypto since version 0.8.0 and up to 0.11.0 does not correctly validate the sender of an encrypted event. Accordingly, a malicious homeserver operator can modify events served to clients, making those events appear to the recipient as if they were sent by another user. This vulnerability is fixed in 0.11.1 and 0.12.0.

CVSS v3 4.9 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/matrix-org/matrix-rust-sdk/commit/13c1d2048286bbabf5e7bc6b015aafee98f04d55
https://github.com/matrix-org/matrix-rust-sdk/commit/56980745b4f27f7dc72ac296e6aa003e5d92a75b
https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-x958-rvg6-956w
https://spec.matrix.org/v1.14/client-server-api/#mmegolmv1aes-sha2

Configurations

No configuration.

History

12 Jun 2025, 16:06

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-10 16:15

Updated : 2025-06-12 16:06

NVD link : CVE-2025-48937

Mitre link : CVE-2025-48937

CVE.ORG link : CVE-2025-48937

JSON object : View

Products Affected

No product.

CWE

CWE-290

Authentication Bypass by Spoofing

{"id": "CVE-2025-48937", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.2}]}, "published": "2025-06-10T16:15:41.670", "references": [{"url": "https://github.com/matrix-org/matrix-rust-sdk/commit/13c1d2048286bbabf5e7bc6b015aafee98f04d55", "source": "security-advisories@github.com"}, {"url": "https://github.com/matrix-org/matrix-rust-sdk/commit/56980745b4f27f7dc72ac296e6aa003e5d92a75b", "source": "security-advisories@github.com"}, {"url": "https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-x958-rvg6-956w", "source": "security-advisories@github.com"}, {"url": "https://spec.matrix.org/v1.14/client-server-api/#mmegolmv1aes-sha2", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-290"}]}], "descriptions": [{"lang": "en", "value": "matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. matrix-sdk-crypto since version 0.8.0 and up to 0.11.0 does not correctly validate the sender of an encrypted event. Accordingly, a malicious homeserver operator can modify events served to clients, making those events appear to the recipient as if they were sent by another user. This vulnerability is fixed in 0.11.1 and 0.12.0."}, {"lang": "es", "value": "matrix-rust-sdk es una implementaci\u00f3n de una librer\u00eda cliente-servidor Matrix en Rust. matrix-sdk-crypto, desde la versi\u00f3n 0.8.0 hasta la 0.11.0, no valida correctamente el remitente de un evento cifrado. Por lo tanto, un operador malicioso del servidor principal puede modificar los eventos enviados a los clientes, haciendo que el destinatario los vea como si los hubiera enviado otro usuario. Esta vulnerabilidad se ha corregido en las versiones 0.11.1 y 0.12.0."}], "lastModified": "2025-06-12T16:06:39.330", "sourceIdentifier": "security-advisories@github.com"}