CVE-2025-66622
EPSS 0.06%matrix-sdk-base: Denial of service due to custom `m.room.join_rules` events
發布日:2025/12/8修改日:2025/12/8
描述
The matrix-sdk-base crate is unable to handle responses that include custom m.room.join_rules values due to a serialization bug. This can be exploited to cause a denial-of-service condition, if a user is invited to a room with non-standard join rules, the crate's sync process will stall, preventing further processing for all rooms.
受影響套件(2)
- crates.io/matrix-sdk-basefrom 0, < 0.16.0
- crates.io/matrix-sdk-base>= 0.0.0-0, < 0.16.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-66622
- PATCHhttps://crates.io/crates/matrix-sdk-base
- PATCHhttps://github.com/matrix-org/matrix-rust-sdk
- WEBhttps://github.com/matrix-org/matrix-rust-sdk/commit/4ea0418abefab2aa93f8851a4d39c723e703e6b0
- WEBhttps://github.com/matrix-org/matrix-rust-sdk/pull/5924
- WEBhttps://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-jj6p-3m75-g2p3
- WEBhttps://rustsec.org/advisories/RUSTSEC-2025-0135.html