CVE-2025-62425
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-62425, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-16

Last updated on: 2025-10-21

Assigner: GitHub, Inc.

Description

MAS (Matrix Authentication Service) is a user management and authentication service for Matrix homeservers, written and maintained by Element. A logic flaw in matrix-authentication-service 0.20.0 through 1.4.0 allows an attacker with access to an authenticated MAS session to perform sensitive operations without entering the current password. These include changing the current password, adding or removing an e-mail address and deactivating the account. The vulnerability only affects instances which have the local password database feature enabled (passwords section in the config). Patched in matrix-authentication-service 1.4.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-16
Last Modified
2025-10-21
Generated
2026-07-06
AI Q&A
2025-10-16
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
element matrix_authentication_service 1.4.0
element matrix_authentication_service 1.4.1
element matrix_authentication_service 0.20.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-620 When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a logic flaw in the Matrix Authentication Service (MAS) versions 0.20.0 through 1.4.0 that allows an attacker who already has an authenticated MAS session to perform sensitive operations without needing to enter the current password. These operations include changing the current password, adding or removing an email address, and deactivating the account. It only affects instances with the local password database feature enabled and was fixed in version 1.4.1.

Impact Analysis

An attacker with access to an authenticated MAS session could exploit this vulnerability to change your password, modify your email addresses, or deactivate your account without your consent. This could lead to unauthorized account takeover, loss of access, or disruption of your service.

Mitigation Strategies

Upgrade matrix-authentication-service to version 1.4.1 or later, as this version contains the patch for the vulnerability. Additionally, if possible, disable the local password database feature in the configuration to prevent exposure to this issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62425. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart