CVE-2025-68667

CVSS v4.0

9.9

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:L

Name of the Vulnerable Software and Affected Versions continuwuity versions prior to 0.5.0

Description A remote, unauthenticated attacker can force the target server to cryptographically sign arbitrary membership events. This occurs because the server does not validate the origin of a signing request when the event's state key is a valid user ID belonging to the target server. The vulnerable API endpoint is / matrix/federation/v2/invite/{roomId}/{eventId}.

Recommendations Block access to the PUT / matrix/federation/v2/invite/{roomId}/{eventId} endpoint using a reverse proxy. Update to version 0.5.0 or later.

Exploit

Fix

DoS

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-441

Related Identifiers

CVE-2025-68667

GHSA-22FW-4JQ7-G8R8

Affected Products

Continuwuity

CVE-2025-68667

Weakness Enumeration

Related Identifiers

Affected Products

References · 14