CVE-2025-66622

HIGH
2025-12-09 [email protected] GHSA-jj6p-3m75-g2p3
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Dec 09, 2025 - 16:18 nvd
HIGH 7.5

Tags

Denial Of Service Deserialization Python Matrix Rust Sdk

Description

matrix-sdk-base is the base component to build a Matrix client library. Versions 0.14.1 and prior are unable to handle responses that include custom m.room.join_rules values due to a serialization bug. This can be exploited to cause a denial-of-service condition, if a user is invited to a room with non-standard join rules, the crate's sync process will stall, preventing further processing for all rooms. This is fixed in version 0.16.0.

Analysis

A serialization bug in matrix-sdk-base allows remote attackers to cause denial-of-service by sending rooms with custom m.room.join_rules values, which stalls the sync process and prevents all room processing. The vulnerability affects matrix-sdk-base versions 0.14.1 and prior and has a high availability impact (CVSS 7.5) with a patch available in version 0.16.0. With a low EPSS score of 0.06% and no KEV listing, this represents a moderate real-world risk primarily concerning service availability rather than active exploitation.

Technical Context

The matrix-sdk-base is a Rust library component used to build Matrix protocol clients, identified by CPE cpe:2.3:a:matrix:matrix-rust-sdk:*:*:*:*:*:*:*:*. The vulnerability stems from CWE-755 (Improper Handling of Exceptional Conditions), where the deserialization logic cannot properly handle non-standard or custom m.room.join_rules values in Matrix room state events. When the sync process encounters these malformed join rules during room invitation processing, it fails to deserialize the response correctly, causing the entire synchronization mechanism to halt and preventing the client from processing any further room updates across all rooms.

Affected Products

Matrix Rust SDK's matrix-sdk-base component versions 0.14.1 and earlier are vulnerable, as confirmed by CPE cpe:2.3:a:matrix:matrix-rust-sdk:*:*:*:*:*:*:*:*. The vulnerability has been disclosed through GitHub Security Advisory GHSA-jj6p-3m75-g2p3 and tracked in the Rust security database as RUSTSEC-2025-0135. Any applications or clients built using these versions of the matrix-sdk-base library are susceptible to this denial-of-service condition when processing room invitations with custom join rules.

Remediation

Upgrade matrix-sdk-base to version 0.16.0 or later, which includes the fix implemented in commit 4ea0418abefab2aa93f8851a4d39c723e703e6b0 and pull request #5924. The patch is available from the vendor at https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-jj6p-3m75-g2p3. As a temporary workaround until patching is possible, consider implementing application-level filtering to reject or quarantine room invitations containing non-standard join rules before they reach the SDK's sync process, though upgrading remains the recommended solution.

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +38
POC: 0

Share

CVE-2025-66622 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy