{"id":"RUSTSEC-2025-0043","summary":"matrix-sdk-sqlite: SQL injection vulnerability in `SqliteEventCacheStore::find_event_with_relations`","details":"The `SqliteEventCacheStore::find_event_with_relations` function constructs SQL\nqueries using `format!()` with unescaped input, allowing an attacker to inject\narbitrary SQL. This results in a SQL injection vulnerability.","aliases":["CVE-2025-53549","GHSA-275g-g844-73jh"],"modified":"2025-07-11T15:41:59.727517Z","published":"2025-07-11T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/matrix-sdk-sqlite"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2025-0043.html"},{"type":"ADVISORY","url":"https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-275g-g844-73jh"}],"affected":[{"package":{"name":"matrix-sdk-sqlite","ecosystem":"crates.io","purl":"pkg:cargo/matrix-sdk-sqlite"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.11.0"},{"fixed":"0.13.0"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"arch":[],"functions":["matrix_sdk_sqlite::SqliteEventCacheStore::find_event_relations"],"os":[]}},"database_specific":{"cvss":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2025-0043.json","categories":["format-injection"],"informational":null}}],"schema_version":"1.7.3"}