CVE-2025-48937

CVSS v3.1

4.9

Medium

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions matrix-rust-sdk versions 0.8.0 through 0.11.0

Description The issue arises from the failure to correctly validate the sender of an encrypted event in the matrix-sdk-crypto component. This allows a malicious homeserver operator to modify events served to clients, making those events appear to the recipient as if they were sent by another user.

Recommendations For versions 0.8.0 through 0.11.0, update to version 0.11.1 or 0.12.0 to resolve the issue.

Exploit

Fix

Authentication Bypass by Spoofing

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-290

Related Identifiers

CVE-2025-48937

GHSA-X958-RVG6-956W

OPENSUSE-SU-2025:15218-1

RUSTSEC-2025-0041

Affected Products

Matrix-Rust-Sdk

CVE-2025-48937

Weakness Enumeration

Related Identifiers

Affected Products

References · 15