CVE-2025-48937: matrix-sdk-crypto vulnerable to sender of encrypted events being spoofed by homeserver administrator
(updated )
matrix-sdk-crypto since version 0.8.0 up to 0.11.0 does not correctly validate the sender of an encrypted event. Accordingly, a malicious homeserver operator can modify events served to clients, making those events appear to the recipient as if they were sent by another user.
Although the CVSS score is 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N), we consider this a High Severity security issue.
References
- github.com/advisories/GHSA-x958-rvg6-956w
- github.com/matrix-org/matrix-rust-sdk
- github.com/matrix-org/matrix-rust-sdk/commit/13c1d2048286bbabf5e7bc6b015aafee98f04d55
- github.com/matrix-org/matrix-rust-sdk/commit/56980745b4f27f7dc72ac296e6aa003e5d92a75b
- github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-x958-rvg6-956w
- nvd.nist.gov/vuln/detail/CVE-2025-48937
- rustsec.org/advisories/RUSTSEC-2025-0041.html
- spec.matrix.org/v1.14/client-server-api/
Code Behaviors & Features
Detect and mitigate CVE-2025-48937 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →