{"id":"CVE-2025-48937","summary":"matrix-sdk-crypto vulnerable to sender of encrypted events being spoofed by homeserver administrator","details":"matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. matrix-sdk-crypto since version 0.8.0 and up to 0.11.0 does not correctly validate the sender of an encrypted event. Accordingly, a malicious homeserver operator can modify events served to clients, making those events appear to the recipient as if they were sent by another user. This vulnerability is fixed in 0.11.1 and 0.12.0.","aliases":["GHSA-x958-rvg6-956w","RUSTSEC-2025-0041"],"modified":"2026-04-10T05:28:52.480563Z","published":"2025-06-10T15:32:00.822Z","related":["openSUSE-SU-2025:15218-1"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-290"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/48xxx/CVE-2025-48937.json"},"references":[{"type":"WEB","url":"https://spec.matrix.org/v1.14/client-server-api/#mmegolmv1aes-sha2"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/48xxx/CVE-2025-48937.json"},{"type":"ADVISORY","url":"https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-x958-rvg6-956w"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-48937"},{"type":"FIX","url":"https://github.com/matrix-org/matrix-rust-sdk/commit/13c1d2048286bbabf5e7bc6b015aafee98f04d55"},{"type":"FIX","url":"https://github.com/matrix-org/matrix-rust-sdk/commit/56980745b4f27f7dc72ac296e6aa003e5d92a75b"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/matrix-org/matrix-rust-sdk","events":[{"introduced":"0"},{"fixed":"13c1d2048286bbabf5e7bc6b015aafee98f04d55"}]},{"type":"GIT","repo":"https://github.com/matrix-org/matrix-rust-sdk","events":[{"introduced":"0"},{"fixed":"56980745b4f27f7dc72ac296e6aa003e5d92a75b"}]}],"versions":["0.1.0","0.7.0","matrix-qrcode-0.2.0","matrix-sdk-0.10.0","matrix-sdk-0.11.0","matrix-sdk-0.4.0","matrix-sdk-0.4.1","matrix-sdk-0.8.0","matrix-sdk-0.9.0","matrix-sdk-base-0.10.0","matrix-sdk-base-0.11.0","matrix-sdk-base-0.4.0","matrix-sdk-base-0.4.1","matrix-sdk-base-0.8.0","matrix-sdk-base-0.9.0","matrix-sdk-common-0.10.0","matrix-sdk-common-0.11.0","matrix-sdk-common-0.4.0","matrix-sdk-common-0.4.1","matrix-sdk-common-0.8.0","matrix-sdk-common-0.9.0","matrix-sdk-crypto-0.10.0","matrix-sdk-crypto-0.11.0","matrix-sdk-crypto-0.4.0","matrix-sdk-crypto-0.4.1","matrix-sdk-crypto-0.8.0","matrix-sdk-crypto-0.9.0","matrix-sdk-crypto-ffi-0.1.0","matrix-sdk-crypto-ffi-0.1.1","matrix-sdk-crypto-ffi-0.1.10","matrix-sdk-crypto-ffi-0.1.2","matrix-sdk-crypto-ffi-0.1.3","matrix-sdk-crypto-ffi-0.1.4","matrix-sdk-crypto-ffi-0.1.5","matrix-sdk-crypto-ffi-0.1.6","matrix-sdk-crypto-ffi-0.1.7","matrix-sdk-crypto-ffi-0.1.8","matrix-sdk-crypto-ffi-0.1.9","matrix-sdk-crypto-ffi-0.11.0","matrix-sdk-crypto-ffi-0.2.0","matrix-sdk-crypto-ffi-0.2.1","matrix-sdk-crypto-ffi-0.3.0","matrix-sdk-crypto-ffi-0.3.1","matrix-sdk-crypto-ffi-0.3.10","matrix-sdk-crypto-ffi-0.3.11","matrix-sdk-crypto-ffi-0.3.12","matrix-sdk-crypto-ffi-0.3.13","matrix-sdk-crypto-ffi-0.3.2","matrix-sdk-crypto-ffi-0.3.4","matrix-sdk-crypto-ffi-0.3.5","matrix-sdk-crypto-ffi-0.3.7","matrix-sdk-crypto-ffi-0.3.8","matrix-sdk-crypto-ffi-0.3.9","matrix-sdk-crypto-ffi-0.4.0","matrix-sdk-crypto-ffi-0.4.1","matrix-sdk-crypto-ffi-0.4.2","matrix-sdk-crypto-ffi-0.4.3","matrix-sdk-crypto-js-v0.1.0-alpha.0","matrix-sdk-crypto-js-v0.1.0-alpha.1","matrix-sdk-crypto-js-v0.1.0-alpha.2","matrix-sdk-crypto-js-v0.1.0-alpha.4","matrix-sdk-ffi-0.11.0","matrix-sdk-ffi/20240618","matrix-sdk-ffi/20240704","matrix-sdk-ffi/20240722","matrix-sdk-ffi/20240813","matrix-sdk-ffi/20240827","matrix-sdk-ffi/20240904","matrix-sdk-ffi/20240911","matrix-sdk-ffi/20240913","matrix-sdk-ffi/20240918","matrix-sdk-ffi/20240924","matrix-sdk-ffi/20241008","matrix-sdk-ffi/20241024","matrix-sdk-ffi/20241107","matrix-sdk-ffi/20241127","matrix-sdk-ffi/20241203","matrix-sdk-ffi/20241204","matrix-sdk-ffi/20250131","matrix-sdk-ffi/20250225","matrix-sdk-ffi/20250306","matrix-sdk-ffi/20250320","matrix-sdk-ffi/20250325","matrix-sdk-ffi/20250408","matrix-sdk-ffi/20252502","matrix-sdk-indexeddb-0.10.0","matrix-sdk-indexeddb-0.11.0","matrix-sdk-indexeddb-0.8.0","matrix-sdk-indexeddb-0.9.0","matrix-sdk-qrcode-0.10.0","matrix-sdk-qrcode-0.11.0","matrix-sdk-qrcode-0.8.0","matrix-sdk-qrcode-0.9.0","matrix-sdk-sqlite-0.10.0","matrix-sdk-sqlite-0.11.0","matrix-sdk-sqlite-0.8.0","matrix-sdk-sqlite-0.9.0","matrix-sdk-store-encryption-0.10.0","matrix-sdk-store-encryption-0.11.0","matrix-sdk-store-encryption-0.8.0","matrix-sdk-store-encryption-0.9.0","matrix-sdk-test-0.10.0","matrix-sdk-test-0.11.0","matrix-sdk-test-0.4.0","matrix-sdk-test-macros-0.10.0","matrix-sdk-test-macros-0.11.0","matrix-sdk-ui-0.10.0","matrix-sdk-ui-0.11.0","matrix-sdk-ui-0.8.0","matrix-sdk-ui-0.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-48937.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"}]}