CVE-2025-49090
BaseFortify
Publication date: 2025-10-02
Last updated on: 2025-10-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ejabberd | ejabberd | * |
| tuwunel | tuwunel | * |
| matrix | matrix | 1.16 |
| rocket.chat | rocket.chat | * |
| continuwuity | continuwuity | * |
| element | element | * |
| conduit | conduit | * |
| dendrite | dendrite | * |
| synapse | synapse | * |
| synapse_pro | synapse_pro | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-642 | The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is due to deficient state resolution in the Matrix specification versions before 1.16, specifically in room versions before 12 and State Resolution before 2.1. This means that the protocol's method for resolving the state of a room is flawed in these versions.
How can this vulnerability impact me? :
The vulnerability can impact you by causing integrity issues in the state of Matrix rooms, potentially allowing unauthorized changes or inconsistencies in the room state. According to the CVSS score, it has a high impact on integrity and a low impact on availability, with network attack vector and low privileges required.