CVE-2025-62425
BaseFortify
Publication date: 2025-10-16
Last updated on: 2025-10-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| element | matrix_authentication_service | 1.4.0 |
| element | matrix_authentication_service | 1.4.1 |
| element | matrix_authentication_service | 0.20.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-620 | When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a logic flaw in the Matrix Authentication Service (MAS) versions 0.20.0 through 1.4.0 that allows an attacker who already has an authenticated MAS session to perform sensitive operations without needing to enter the current password. These operations include changing the current password, adding or removing an email address, and deactivating the account. It only affects instances with the local password database feature enabled and was fixed in version 1.4.1.
How can this vulnerability impact me? :
An attacker with access to an authenticated MAS session could exploit this vulnerability to change your password, modify your email addresses, or deactivate your account without your consent. This could lead to unauthorized account takeover, loss of access, or disruption of your service.
What immediate steps should I take to mitigate this vulnerability?
Upgrade matrix-authentication-service to version 1.4.1 or later, as this version contains the patch for the vulnerability. Additionally, if possible, disable the local password database feature in the configuration to prevent exposure to this issue.