CVE-2024-52813: matrix-sdk-crypto missing facility to signal rotation of a verified cryptographic identity

January 7, 2025 (updated January 22, 2025)

Versions of the matrix-sdk-crypto Rust crate before 0.8.0 lack a dedicated mechanism to notify that a user’s cryptographic identity has changed from a verified to an unverified one, which could cause client applications relying on the SDK to overlook such changes.

References

github.com/advisories/GHSA-r5vf-wf4h-82gg
github.com/matrix-org/matrix-rust-sdk
github.com/matrix-org/matrix-rust-sdk/pull/3795
github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-r5vf-wf4h-82gg
nvd.nist.gov/vuln/detail/CVE-2024-52813
rustsec.org/advisories/RUSTSEC-2024-0434.html

Code Behaviors & Features

Detect and mitigate CVE-2024-52813 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →