CVE-2025-48937
MEDIUM4.9EPSS 0.27%matrix-sdk-crypto vulnerable to encrypted event sender spoofing by homeserver administrator
Published: 6/10/2025Modified: 6/12/2025
Description
matrix-sdk-crypto versions 0.8.0 up to and including 0.11.0 does not correctly validate the sender of an encrypted event. Accordingly, a malicious homeserver operator can modify events served to clients, making those events appear to the recipient as if they were sent by another user. Although the CVSS score is 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N), we consider this a High severity security issue.
Affected packages (2)
- crates.io/matrix-sdk-crypto>= 0.8.0, < 0.11.1
- crates.io/matrix-sdk-crypto>= 0.8.0, < 0.11.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-48937
- PATCHhttps://crates.io/crates/matrix-sdk-crypto
- PATCHhttps://github.com/matrix-org/matrix-rust-sdk
- WEBhttps://github.com/matrix-org/matrix-rust-sdk/commit/13c1d2048286bbabf5e7bc6b015aafee98f04d55
- WEBhttps://github.com/matrix-org/matrix-rust-sdk/commit/56980745b4f27f7dc72ac296e6aa003e5d92a75b
- WEBhttps://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-x958-rvg6-956w
- WEBhttps://rustsec.org/advisories/RUSTSEC-2025-0041.html
- WEBhttps://spec.matrix.org/v1.14/client-server-api/#mmegolmv1aes-sha2