{"id":"CVE-2025-59160","summary":"matrix-js-sdk has insufficient validation when considering a room to be upgraded by another","details":"Matrix JavaScript SDK is a Matrix Client-Server SDK for JavaScript and TypeScript. matrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in MatrixClient::getJoinedRooms, allowing a remote attacker to attempt to replace a tombstoned room with an unrelated attacker-supplied room. The issue has been patched and users should upgrade to 38.2.0. A workaround is to avoid using MatrixClient::getJoinedRooms in favor of getRooms() and filtering upgraded rooms separately.","aliases":["GHSA-mp7c-m3rh-r56v"],"modified":"2026-04-10T05:31:48.806976Z","published":"2025-09-16T16:37:54.185Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59160.json","cwe_ids":["CWE-345"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59160.json"},{"type":"ADVISORY","url":"https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mp7c-m3rh-r56v"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59160"},{"type":"FIX","url":"https://github.com/matrix-org/matrix-js-sdk/commit/43c72d5bf5e2d0a26b3b4f71092e7cb39d4137c4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/matrix-org/matrix-js-sdk","events":[{"introduced":"0"},{"fixed":"4a9006aea68f9d4d7fad3965e754e89b03fb286f"}]}],"versions":["no-media-devices-release","v0.1.0","v0.1.1","v0.10.2","v0.10.2-rc.1","v0.10.3","v0.10.3-rc.1","v0.10.5","v0.10.5-rc.1","v0.10.7","v0.10.7-rc.1","v0.11.0","v0.11.0-rc.1","v0.2.0","v0.2.1","v0.2.2","v0.4.1","v0.4.2","v0.5.0","v0.5.1","v0.5.2","v0.5.3","v0.5.4","v0.5.5","v0.5.6","v0.6.0-rc1","v0.6.0-rc2","v0.6.1","v0.6.2","v0.6.4","v0.6.4-rc.2","v0.7.1-rc.1","v0.7.10","v0.7.2","v0.7.4","v0.7.4-rc.1","v0.7.9","v0.8.0","v0.8.1","v0.8.1-rc.1","v0.8.2","v0.8.3","v0.8.3-rc.1","v1.0.0","v1.0.0-rc.1","v1.0.0-rc.2","v2.0.1","v2.0.1-rc.1","v2.0.1-rc.2","v2.4.1","v26.1.0-patch.1","v26.2.0-no-media-devices-hotfix","v30.1.0-rc.0","v30.1.0-rc.1","v30.2.0-rc.0","v31.2.0-rc.0","v34.2.0","v38.0.0-rc.1","v38.1.0","v38.1.0-rc.0","v5.0.1","v7.1.0","v7.1.0-rc.1","v8.0.0","v8.1.0","v8.1.0-rc.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59160.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"}]}