CVE-2025-68667
Unknown Unknown - Not Provided

Unauthorized Remote Signing in continuwuity Matrix Homeserver Prior to

Vulnerability report for CVE-2025-68667, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-23

Last updated on: 2025-12-23

Assigner: GitHub, Inc.

Description

continuwuity is a Matrix homeserver written in Rust. Prior to version 0.5.0, this vulnerability allows a remote, unauthenticated attacker to force the target server to cryptographically sign arbitrary membership events. The flaw exists because the server fails to validate the origin of a signing request, provided the event's state_key is a valid user ID belonging to the target server. This issue has been patched in version 0.5.0. A workaround for this issue involves blocking access to the PUT /_matrix/federation/v2/invite/{roomId}/{eventId} endpoint using the reverse proxy.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-23
Last Modified
2025-12-23
Generated
2026-07-06
AI Q&A
2025-12-24
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
matrix continuuwuity 0.5.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in the continuwuity Matrix homeserver (prior to version 0.5.0) allows a remote, unauthenticated attacker to force the server to cryptographically sign arbitrary membership events. The issue arises because the server does not validate the origin of a signing request when the event's state_key is a valid user ID on the target server. This flaw enables attackers to misuse the server's signing capability without proper authorization.

Impact Analysis

The vulnerability can have severe impacts as it allows an unauthenticated attacker to make the server sign arbitrary membership events. This could lead to unauthorized changes in room memberships or impersonation within the Matrix network, potentially compromising the integrity and trustworthiness of communications and user memberships on the affected server.

Detection Guidance

You can detect this vulnerability by monitoring or attempting to access the PUT /_matrix/federation/v2/invite/{roomId}/{eventId} endpoint on your Matrix homeserver. Commands such as curl or other HTTP request tools can be used to test if this endpoint is accessible and if it allows unauthenticated signing requests. For example: curl -X PUT https://your-server/_matrix/federation/v2/invite/roomId/eventId -v. If the server responds without proper validation or authentication, it may be vulnerable.

Mitigation Strategies

The immediate mitigation step is to block access to the PUT /_matrix/federation/v2/invite/{roomId}/{eventId} endpoint using a reverse proxy until you can upgrade to version 0.5.0 or later, where the issue is patched.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68667. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart