CVE-2025-48937
MEDIUM4.9EPSS 0.27%matrix-sdk-crypto vulnerable to encrypted event sender spoofing by homeserver administrator
發布日:2025/6/10修改日:2025/6/12
描述
matrix-sdk-crypto versions 0.8.0 up to and including 0.11.0 does not correctly validate the sender of an encrypted event. Accordingly, a malicious homeserver operator can modify events served to clients, making those events appear to the recipient as if they were sent by another user. Although the CVSS score is 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N), we consider this a High severity security issue.
受影響套件(2)
- crates.io/matrix-sdk-crypto>= 0.8.0, < 0.11.1
- crates.io/matrix-sdk-crypto>= 0.8.0, < 0.11.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N |
參考連結(8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-48937
- PATCHhttps://crates.io/crates/matrix-sdk-crypto
- PATCHhttps://github.com/matrix-org/matrix-rust-sdk
- WEBhttps://github.com/matrix-org/matrix-rust-sdk/commit/13c1d2048286bbabf5e7bc6b015aafee98f04d55
- WEBhttps://github.com/matrix-org/matrix-rust-sdk/commit/56980745b4f27f7dc72ac296e6aa003e5d92a75b
- WEBhttps://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-x958-rvg6-956w
- WEBhttps://rustsec.org/advisories/RUSTSEC-2025-0041.html
- WEBhttps://spec.matrix.org/v1.14/client-server-api/#mmegolmv1aes-sha2