CVE-2025-59161
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-16

Last updated on: 2025-09-17

Assigner: GitHub, Inc.

Description
Element Web is a Matrix web client built using the Matrix React SDK. Element Web and Element Desktop before version 1.11.112 have insufficient validation of room predecessor links, allowing a remote attacker to attempt to impermanently replace a room's entry in the room list with an unrelated attacker-supplied room. While the effect of this is temporary, it may still confuse users into acting on incorrect assumptions. The issue has been patched and users should upgrade to 1.11.112. A reload/refresh will fix the incorrect room list state, removing the attacker's room and restoring the original room.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-16
Last Modified
2025-09-17
Generated
2026-06-16
AI Q&A
2025-09-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59161
EUVD
EUVD-2025-29626
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
element element_web 1.11.112
element element_desktop 1.11.112
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Element Web and Element Desktop (before version 1.11.112) involves insufficient validation of room predecessor links. A remote attacker can temporarily replace a legitimate room's entry in a user's room list with an unrelated attacker-supplied room. Although this replacement is temporary and can be fixed by reloading the application, it may confuse users into acting on incorrect assumptions about which room they are interacting with. [1]

Impact Analysis

The vulnerability can cause confusion by temporarily showing an attacker-supplied room in place of a legitimate room in the user's room list. This may lead users to mistakenly interact with the wrong room, potentially causing them to disclose information or take actions based on incorrect room context. However, the effect is impermanent and can be resolved by refreshing the application, which restores the correct room list. [1]

Detection Guidance

This vulnerability can be detected by observing if the room list in Element Web or Element Desktop temporarily shows an unrelated attacker-supplied room replacing a legitimate room. Since the issue involves insufficient validation of room predecessor links causing temporary incorrect room list entries, detection involves monitoring the client UI for unexpected room replacements. There are no specific network or system commands provided to detect this vulnerability directly. A practical approach is to refresh or reload the application to see if the room list state corrects itself, indicating the presence of the issue. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading Element Web and Element Desktop to version 1.11.112 or later, where the vulnerability has been patched. As a temporary workaround, users can reload or refresh the application to restore the correct room list state, which removes the attacker-supplied room and reinstates the original room. These steps help prevent confusion caused by the temporary replacement of legitimate rooms. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59161. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart