CVE-2025-48937
BaseFortify
Publication date: 2025-06-10
Last updated on: 2025-06-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-48937 is a security vulnerability in the matrix-sdk-crypto Rust package (versions 0.8.0 to 0.11.0) where the software does not correctly verify the sender of an encrypted Matrix event. This flaw allows a malicious homeserver operator to modify events so that they appear to come from a different user than the actual sender. The issue arises because the package fails to confirm that the sender of the event matches the owner of the cryptographic session used to decrypt it. This can lead to sender spoofing, where events are falsely attributed to other users. The vulnerability is fixed in versions 0.11.1 and 0.12.0 by adding a verification step that compares the sender ID in the event to the session owner and rejects mismatches. [2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a malicious homeserver administrator to impersonate other users when sending encrypted events. This means that the integrity of messages can be compromised, as you might receive messages that appear to come from trusted users but were actually forged by the attacker. While it does not affect confidentiality or availability, it undermines trust in the authenticity of messages, potentially leading to misinformation or unauthorized actions based on spoofed events. Exploitation requires administrator-level access to the homeserver, so trusting your homeserver administrators reduces risk. [3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a malicious homeserver operator spoofing the sender of encrypted Matrix events. Detection involves monitoring for events where the sender field does not match the expected owner of the Megolm session. Since the Matrix Client-Server API exchanges JSON over HTTP(S), you can inspect event payloads for inconsistencies between the sender field and session ownership. However, no specific commands are provided in the resources. Detection would typically require analyzing decrypted event data and verifying sender identities against session data, possibly by enabling or reviewing logs from the matrix-rust-sdk client that include verification state changes indicating spoofed senders. [4, 3, 1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade the matrix-sdk-crypto package to version 0.11.1 or later (including 0.12.0), where the fix has been implemented. The fix enforces verification that the sender of an encrypted event matches the owner of the Megolm session, preventing sender spoofing. Additionally, ensure that you trust your homeserver administrators, as exploitation requires administrator-level access to the homeserver. Applying the patch from commit 13c1d2048286bbabf5e7bc6b015aafee98f04d55 is critical to prevent this issue. [3, 4, 2]