RUSTSEC-2025-0041

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2025-0041

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2025-0041.json

JSON Data

https://api.test.osv.dev/v1/vulns/RUSTSEC-2025-0041

Aliases

Published

2025-06-11T12:00:00Z

Modified

2025-06-12T09:41:57.023831Z

Severity

4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

matrix-sdk-crypto vulnerable to encrypted event sender spoofing by homeserver administrator

Details

matrix-sdk-crypto versions 0.8.0 up to and including 0.11.0 does not correctly validate the sender of an encrypted event. Accordingly, a malicious homeserver operator can modify events served to clients, making those events appear to the recipient as if they were sent by another user.

Although the CVSS score is 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N), we consider this a High severity security issue.

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / matrix-sdk-crypto

Package

Name: matrix-sdk-crypto; View open source insights on deps.dev
Purl: pkg:cargo/matrix-sdk-crypto

Affected ranges

Type: SEMVER
Events: Introduced

0.8.0

Fixed

0.11.1

Ecosystem specific

{
    "affects": {
        "os": [],
        "arch": [],
        "functions": []
    },
    "affected_functions": null
}

Database specific

{
    "cvss": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
    "informational": null,
    "categories": []
}