CVE-2025-68667
Unknown Unknown - Not Provided
Unauthorized Remote Signing in continuwuity Matrix Homeserver Prior to

Publication date: 2025-12-23

Last updated on: 2025-12-23

Assigner: GitHub, Inc.

Description
continuwuity is a Matrix homeserver written in Rust. Prior to version 0.5.0, this vulnerability allows a remote, unauthenticated attacker to force the target server to cryptographically sign arbitrary membership events. The flaw exists because the server fails to validate the origin of a signing request, provided the event's state_key is a valid user ID belonging to the target server. This issue has been patched in version 0.5.0. A workaround for this issue involves blocking access to the PUT /_matrix/federation/v2/invite/{roomId}/{eventId} endpoint using the reverse proxy.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-23
Last Modified
2025-12-23
Generated
2026-06-16
AI Q&A
2025-12-24
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68667
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
matrix continuuwuity 0.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the continuwuity Matrix homeserver (prior to version 0.5.0) allows a remote, unauthenticated attacker to force the server to cryptographically sign arbitrary membership events. The issue arises because the server does not validate the origin of a signing request when the event's state_key is a valid user ID on the target server. This flaw enables attackers to misuse the server's signing capability without proper authorization.

Impact Analysis

The vulnerability can have severe impacts as it allows an unauthenticated attacker to make the server sign arbitrary membership events. This could lead to unauthorized changes in room memberships or impersonation within the Matrix network, potentially compromising the integrity and trustworthiness of communications and user memberships on the affected server.

Detection Guidance

You can detect this vulnerability by monitoring or attempting to access the PUT /_matrix/federation/v2/invite/{roomId}/{eventId} endpoint on your Matrix homeserver. Commands such as curl or other HTTP request tools can be used to test if this endpoint is accessible and if it allows unauthenticated signing requests. For example: curl -X PUT https://your-server/_matrix/federation/v2/invite/roomId/eventId -v. If the server responds without proper validation or authentication, it may be vulnerable.

Mitigation Strategies

The immediate mitigation step is to block access to the PUT /_matrix/federation/v2/invite/{roomId}/{eventId} endpoint using a reverse proxy until you can upgrade to version 0.5.0 or later, where the issue is patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68667. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart