{"id":"RUSTSEC-2025-0041","summary":"matrix-sdk-crypto vulnerable to encrypted event sender spoofing by homeserver administrator","details":"matrix-sdk-crypto versions 0.8.0 up to and including 0.11.0 does not correctly validate\nthe sender of an encrypted event. Accordingly, a malicious homeserver operator\ncan modify events served to clients, making those events appear to the recipient\nas if they were sent by another user.\n\nAlthough the CVSS score is 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N), we\nconsider this a High severity security issue.","aliases":["CVE-2025-48937","GHSA-x958-rvg6-956w"],"modified":"2025-06-12T09:41:55.278267Z","published":"2025-06-11T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/matrix-sdk-crypto"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2025-0041.html"},{"type":"ADVISORY","url":"https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-x958-rvg6-956w"}],"affected":[{"package":{"name":"matrix-sdk-crypto","ecosystem":"crates.io","purl":"pkg:cargo/matrix-sdk-crypto"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.8.0"},{"fixed":"0.11.1"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"os":[],"arch":[],"functions":[]}},"database_specific":{"categories":[],"informational":null,"cvss":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N","source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2025-0041.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"}]}