User Impersonation Affecting matrix-sdk-crypto package, versions >=0.8.0 <0.11.1


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.03% (8th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUST-MATRIXSDKCRYPTO-10442550
  • published20 Jun 2025
  • disclosed10 Jun 2025
  • creditDenis Kasak

Introduced: 10 Jun 2025

NewCVE-2025-48937  (opens in a new tab)
CWE-290  (opens in a new tab)

How to fix?

Upgrade matrix-sdk-crypto to version 0.11.1 or higher.

Overview

Affected versions of this package are vulnerable to User Impersonation due to improper validation of the sender identity in encrypted events. An attacker can manipulate events to appear as if they were sent by another user by exploiting the administrative privileges on the homeserver.

Note:

This is only exploitable if the attacker has administrative access to the homeserver.

CVSS Base Scores

version 4.0
version 3.1