CVE-2025-62425
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-16

Last updated on: 2025-10-21

Assigner: GitHub, Inc.

Description
MAS (Matrix Authentication Service) is a user management and authentication service for Matrix homeservers, written and maintained by Element. A logic flaw in matrix-authentication-service 0.20.0 through 1.4.0 allows an attacker with access to an authenticated MAS session to perform sensitive operations without entering the current password. These include changing the current password, adding or removing an e-mail address and deactivating the account. The vulnerability only affects instances which have the local password database feature enabled (passwords section in the config). Patched in matrix-authentication-service 1.4.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-16
Last Modified
2025-10-21
Generated
2026-06-16
AI Q&A
2025-10-16
EPSS Evaluated
2026-06-14
NVD
CVE-2025-62425
EUVD
EUVD-2025-34822
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
element matrix_authentication_service 1.4.0
element matrix_authentication_service 1.4.1
element matrix_authentication_service 0.20.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-620 When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a logic flaw in the Matrix Authentication Service (MAS) versions 0.20.0 through 1.4.0 that allows an attacker who already has an authenticated MAS session to perform sensitive operations without needing to enter the current password. These operations include changing the current password, adding or removing an email address, and deactivating the account. It only affects instances with the local password database feature enabled and was fixed in version 1.4.1.

Impact Analysis

An attacker with access to an authenticated MAS session could exploit this vulnerability to change your password, modify your email addresses, or deactivate your account without your consent. This could lead to unauthorized account takeover, loss of access, or disruption of your service.

Mitigation Strategies

Upgrade matrix-authentication-service to version 1.4.1 or later, as this version contains the patch for the vulnerability. Additionally, if possible, disable the local password database feature in the configuration to prevent exposure to this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62425. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart