CVE-2022-39254

Name of the Vulnerable Software and Affected Versions matrix-nio versions prior to 0.20

Description The issue arises when a user requests a room key from their devices. The software remembers the request but fails to check the origin of the forwarded room key, allowing homeservers to potentially insert room keys of questionable validity and mount an impersonation attack.

Recommendations For versions prior to 0.20, update to version 0.20 to resolve the issue. As a temporary workaround, consider restricting the acceptance of forwarded room keys to only those that are responses to previous requests and match the device the key was requested from.