CVE-2025-59160
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-16

Last updated on: 2025-09-17

Assigner: GitHub, Inc.

Description
Matrix JavaScript SDK is a Matrix Client-Server SDK for JavaScript and TypeScript. matrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in MatrixClient::getJoinedRooms, allowing a remote attacker to attempt to replace a tombstoned room with an unrelated attacker-supplied room. The issue has been patched and users should upgrade to 38.2.0. A workaround is to avoid using MatrixClient::getJoinedRooms in favor of getRooms() and filtering upgraded rooms separately.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-16
Last Modified
2025-09-17
Generated
2026-06-16
AI Q&A
2025-09-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59160
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
matrix matrix_js_sdk 38.1.0
matrix matrix_js_sdk 38.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the matrix-js-sdk (before version 38.2.0) involves insufficient validation of room predecessor links in the MatrixClient::getJoinedRooms function. It allows a remote attacker to attempt to replace a tombstoned (closed or deprecated) room with an unrelated attacker-controlled room by exploiting improper handling of room upgrade relationships. Essentially, the SDK does not properly verify that a room replacement is mutually acknowledged, which can lead to incorrect room visibility and potential confusion or manipulation in the client interface. [2, 1]

Impact Analysis

This vulnerability can impact users by allowing an attacker to replace a tombstoned room with an unrelated, attacker-supplied room. This could cause confusion or misrepresentation of room histories and visibility within the client, potentially misleading users about the state or content of rooms they have joined. While the severity is rated as low, it may affect the integrity of room upgrade relationships and user experience. [2, 1]

Detection Guidance

This vulnerability relates to insufficient validation of room predecessor links in the matrix-js-sdk, specifically in the MatrixClient::getJoinedRooms function. Detection would involve inspecting the usage of this function in your client applications and checking if they are running a vulnerable version of matrix-js-sdk (before 38.2.0). There are no specific network detection commands provided. However, you can check the installed version of matrix-js-sdk in your project by running commands like `npm list matrix-js-sdk` or `yarn list matrix-js-sdk` to verify if the version is older than 38.2.0. Additionally, reviewing your codebase for usage of `getJoinedRooms` versus `getRooms()` with filtering can help identify potential exposure. [2]

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade the matrix-js-sdk package to version 38.2.0 or later, where the issue has been patched. As a workaround, avoid using the vulnerable MatrixClient::getJoinedRooms method and instead use getRooms() combined with separate filtering of upgraded rooms. These steps will prevent attackers from exploiting the insufficient validation of room predecessor links. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59160. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart