CVE-2025-59160: matrix-js-sdk has insufficient validation when considering a room to be upgraded by another

September 16, 2025

matrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in MatrixClient::getJoinedRooms, allowing a remote attacker to attempt to replace a tombstoned room with an unrelated attacker-supplied room.

References

github.com/advisories/GHSA-mp7c-m3rh-r56v
github.com/matrix-org/matrix-js-sdk
github.com/matrix-org/matrix-js-sdk/commit/43c72d5bf5e2d0a26b3b4f71092e7cb39d4137c4
github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mp7c-m3rh-r56v
nvd.nist.gov/vuln/detail/CVE-2025-59160

Code Behaviors & Features

Detect and mitigate CVE-2025-59160 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →