CVE-2025-68667
Unauthorized Remote Signing in continuwuity Matrix Homeserver Prior to
Publication date: 2025-12-23
Last updated on: 2025-12-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| matrix | continuuwuity | 0.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-441 | The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the continuwuity Matrix homeserver (prior to version 0.5.0) allows a remote, unauthenticated attacker to force the server to cryptographically sign arbitrary membership events. The issue arises because the server does not validate the origin of a signing request when the event's state_key is a valid user ID on the target server. This flaw enables attackers to misuse the server's signing capability without proper authorization.
How can this vulnerability impact me? :
The vulnerability can have severe impacts as it allows an unauthenticated attacker to make the server sign arbitrary membership events. This could lead to unauthorized changes in room memberships or impersonation within the Matrix network, potentially compromising the integrity and trustworthiness of communications and user memberships on the affected server.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by monitoring or attempting to access the PUT /_matrix/federation/v2/invite/{roomId}/{eventId} endpoint on your Matrix homeserver. Commands such as curl or other HTTP request tools can be used to test if this endpoint is accessible and if it allows unauthenticated signing requests. For example: curl -X PUT https://your-server/_matrix/federation/v2/invite/roomId/eventId -v. If the server responds without proper validation or authentication, it may be vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to block access to the PUT /_matrix/federation/v2/invite/{roomId}/{eventId} endpoint using a reverse proxy until you can upgrade to version 0.5.0 or later, where the issue is patched.