CVE-2025-66622
EPSS 0.06%matrix-sdk-base: Denial of service due to custom `m.room.join_rules` events
Published: 12/8/2025Modified: 12/8/2025
Description
The matrix-sdk-base crate is unable to handle responses that include custom m.room.join_rules values due to a serialization bug. This can be exploited to cause a denial-of-service condition, if a user is invited to a room with non-standard join rules, the crate's sync process will stall, preventing further processing for all rooms.
Affected packages (2)
- crates.io/matrix-sdk-basefrom 0, < 0.16.0
- crates.io/matrix-sdk-base>= 0.0.0-0, < 0.16.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-66622
- PATCHhttps://crates.io/crates/matrix-sdk-base
- PATCHhttps://github.com/matrix-org/matrix-rust-sdk
- WEBhttps://github.com/matrix-org/matrix-rust-sdk/commit/4ea0418abefab2aa93f8851a4d39c723e703e6b0
- WEBhttps://github.com/matrix-org/matrix-rust-sdk/pull/5924
- WEBhttps://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-jj6p-3m75-g2p3
- WEBhttps://rustsec.org/advisories/RUSTSEC-2025-0135.html