Skip to main content

Python CVE-2025-66622

HIGH
Improper Handling of Exceptional Conditions (CWE-755)
2025-12-09 security-advisories@github.com GHSA-jj6p-3m75-g2p3
Denial Of Service Deserialization Python Matrix Rust Sdk
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Dec 09, 2025 - 16:18 nvd
HIGH 7.5

DescriptionGitHub Advisory

matrix-sdk-base is the base component to build a Matrix client library. Versions 0.14.1 and prior are unable to handle responses that include custom m.room.join_rules values due to a serialization bug. This can be exploited to cause a denial-of-service condition, if a user is invited to a room with non-standard join rules, the crate's sync process will stall, preventing further processing for all rooms. This is fixed in version 0.16.0.

AnalysisAI

A serialization bug in matrix-sdk-base allows remote attackers to cause denial-of-service by sending rooms with custom m.room.join_rules values, which stalls the sync process and prevents all room processing. The vulnerability affects matrix-sdk-base versions 0.14.1 and prior and has a high availability impact (CVSS 7.5) with a patch available in version 0.16.0. With a low EPSS score of 0.06% and no KEV listing, this represents a moderate real-world risk primarily concerning service availability rather than active exploitation.

Technical ContextAI

The matrix-sdk-base is a Rust library component used to build Matrix protocol clients, identified by CPE cpe:2.3:a:matrix:matrix-rust-sdk:*:*:*:*:*:*:*:*. The vulnerability stems from CWE-755 (Improper Handling of Exceptional Conditions), where the deserialization logic cannot properly handle non-standard or custom m.room.join_rules values in Matrix room state events. When the sync process encounters these malformed join rules during room invitation processing, it fails to deserialize the response correctly, causing the entire synchronization mechanism to halt and preventing the client from processing any further room updates across all rooms.

RemediationAI

Upgrade matrix-sdk-base to version 0.16.0 or later, which includes the fix implemented in commit 4ea0418abefab2aa93f8851a4d39c723e703e6b0 and pull request #5924. The patch is available from the vendor at https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-jj6p-3m75-g2p3. As a temporary workaround until patching is possible, consider implementing application-level filtering to reject or quarantine room invitations containing non-standard join rules before they reach the SDK's sync process, though upgrading remains the recommended solution.

More from same product – last 7 days

CVE-2026-49257 CRITICAL
10.0 Jun 18

Authentication bypass in StarTree mcp-pinot versions 3.0.1 and earlier exposes the Model Context Protocol HTTP server on
CVE-2026-10561 CRITICAL
10.0 Jun 22

Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully comprom
CVE-2026-55255 CRITICAL
9.9 Jun 19

Cross-user flow execution in Langflow versions prior to 1.9.1 allows any authenticated API user to run another user's fl
CVE-2026-53753 CRITICAL
9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-38714 CRITICAL
9.8 Jun 18

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a co

Share

CVE-2025-66622 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy