Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
50 vulnerabilities by element-hq
CVE-2026-45078 (GCVE-0-2026-45078)
Vulnerability from nvd – Published: 2026-05-28 15:52 – Updated: 2026-05-29 15:31
VLAI
EPSS
VEX
Title
Synapse CPU starvation (Denial of Service)
Summary
Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vulnerability is fixed in 1.152.1.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/element-hq/synapse/security/ad… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | synapse |
Affected:
< 1.152.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45078",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T15:31:35.828810Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T15:31:44.793Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.152.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vulnerability is fixed in 1.152.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T15:52:04.765Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g"
}
],
"source": {
"advisory": "GHSA-8q93-326v-3m7g",
"discovery": "UNKNOWN"
},
"title": "Synapse CPU starvation (Denial of Service)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45078",
"datePublished": "2026-05-28T15:52:04.765Z",
"dateReserved": "2026-05-08T18:45:10.097Z",
"dateUpdated": "2026-05-29T15:31:44.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45076 (GCVE-0-2026-45076)
Vulnerability from nvd – Published: 2026-05-28 15:50 – Updated: 2026-06-02 14:51
VLAI
EPSS
VEX
Title
Synapse pagination denial of service
Summary
Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. This vulnerability is fixed in 1.152.1.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/element-hq/synapse/security/ad… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | synapse |
Affected:
< 1.152.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45076",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T14:51:22.795858Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T14:51:34.553Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.152.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. This vulnerability is fixed in 1.152.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T15:50:25.842Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-6qf2-7x63-mm6v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-6qf2-7x63-mm6v"
}
],
"source": {
"advisory": "GHSA-6qf2-7x63-mm6v",
"discovery": "UNKNOWN"
},
"title": "Synapse pagination denial of service"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45076",
"datePublished": "2026-05-28T15:50:25.842Z",
"dateReserved": "2026-05-08T18:45:10.096Z",
"dateUpdated": "2026-06-02T14:51:34.553Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24044 (GCVE-0-2026-24044)
Vulnerability from nvd – Published: 2026-02-12 19:06 – Updated: 2026-02-12 20:05
VLAI
EPSS
VEX
Title
ESS Community Helm Chart has a weak server key generation method
Summary
Element Server Suite Community Edition (ESS Community) deploys a Matrix stack using the provided Helm charts and Kubernetes distribution. The ESS Community Helm Chart secrets initialization hook (using matrix-tools container before 0.5.7) is using an insecure Matrix server key generation method, allowing network attackers to potentially recreate the same key pair, allowing them to impersonate the victim server. The secret is generated by the secrets initialization hook, in the ESS Community Helm Chart values, if both initSecrets.enabled is not set to false and synapse.signingKey is not defined. Given a server key in Matrix authenticates both requests originating from and events constructed on a given server, this potentially impacts confidentiality, integrity and availability of rooms which have a vulnerable server present as a member. The confidentiality of past conversations in end-to-end encrypted rooms is not impacted. The key generation issue was fixed in matrix-tools 0.5.7, released as part of ESS Community Helm Chart 25.12.1.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-336 - Same Seed in Pseudo-Random Number Generator (PRNG)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/element-hq/ess-helm/security/a… | x_refsource_CONFIRM |
| https://github.com/element-hq/ess-helm/blob/main/… | x_refsource_MISC |
| https://github.com/element-hq/ess-helm/releases/t… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | ess-helm |
Affected:
< 25.12.1
|
|
| element-hq | matrix-tools |
Affected:
< 0.5.7
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24044",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-12T20:05:42.483919Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T20:05:49.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ess-helm",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 25.12.1"
}
]
},
{
"product": "matrix-tools",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 0.5.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element Server Suite Community Edition (ESS Community) deploys a Matrix stack using the provided Helm charts and Kubernetes distribution. The ESS Community Helm Chart secrets initialization hook (using matrix-tools container before 0.5.7) is using an insecure Matrix server key generation method, allowing network attackers to potentially recreate the same key pair, allowing them to impersonate the victim server. The secret is generated by the secrets initialization hook, in the ESS Community Helm Chart values, if both initSecrets.enabled is not set to false and synapse.signingKey is not defined. Given a server key in Matrix authenticates both requests originating from and events constructed on a given server, this potentially impacts confidentiality, integrity and availability of rooms which have a vulnerable server present as a member. The confidentiality of past conversations in end-to-end encrypted rooms is not impacted. The key generation issue was fixed in matrix-tools 0.5.7, released as part of ESS Community Helm Chart 25.12.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-336",
"description": "CWE-336: Same Seed in Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T19:06:12.998Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/ess-helm/security/advisories/GHSA-qwcj-h6m8-vp6q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/ess-helm/security/advisories/GHSA-qwcj-h6m8-vp6q"
},
{
"name": "https://github.com/element-hq/ess-helm/blob/main/docs/maintenance.md#fixing-cve-2026-24044elementsec-2025-1670-manually",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/ess-helm/blob/main/docs/maintenance.md#fixing-cve-2026-24044elementsec-2025-1670-manually"
},
{
"name": "https://github.com/element-hq/ess-helm/releases/tag/25.12.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/ess-helm/releases/tag/25.12.2"
}
],
"source": {
"advisory": "GHSA-qwcj-h6m8-vp6q",
"discovery": "UNKNOWN"
},
"title": "ESS Community Helm Chart has a weak server key generation method"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24044",
"datePublished": "2026-02-12T19:06:12.998Z",
"dateReserved": "2026-01-20T22:30:11.777Z",
"dateUpdated": "2026-02-12T20:05:49.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62425 (GCVE-0-2025-62425)
Vulnerability from nvd – Published: 2025-10-16 18:44 – Updated: 2025-10-16 19:34
VLAI
EPSS
VEX
Title
Matrix Authentication Service account password can be changed using an authenticated session without supplying the current password
Summary
MAS (Matrix Authentication Service) is a user management and authentication service for Matrix homeservers, written and maintained by Element. A logic flaw in matrix-authentication-service 0.20.0 through 1.4.0 allows an attacker with access to an authenticated MAS session to perform sensitive operations without entering the current password. These include changing the current password, adding or removing an e-mail address and deactivating the account. The vulnerability only affects instances which have the local password database feature enabled (passwords section in the config). Patched in matrix-authentication-service 1.4.1.
Severity
8.3 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-620 - Unverified Password Change
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/element-hq/matrix-authenticati… | x_refsource_CONFIRM |
| https://github.com/element-hq/matrix-authenticati… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | matrix-authentication-service |
Affected:
>= 0.20.0, <= 1.4.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62425",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T19:34:02.667856Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T19:34:11.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "matrix-authentication-service",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.20.0, \u003c= 1.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MAS (Matrix Authentication Service) is a user management and authentication service for Matrix homeservers, written and maintained by Element. A logic flaw in matrix-authentication-service 0.20.0 through 1.4.0 allows an attacker with access to an authenticated MAS session to perform sensitive operations without entering the current password. These include changing the current password, adding or removing an e-mail address and deactivating the account. The vulnerability only affects instances which have the local password database feature enabled (passwords section in the config). Patched in matrix-authentication-service 1.4.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-620",
"description": "CWE-620: Unverified Password Change",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T18:44:02.616Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/matrix-authentication-service/security/advisories/GHSA-6wfp-jq3r-j9xh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/matrix-authentication-service/security/advisories/GHSA-6wfp-jq3r-j9xh"
},
{
"name": "https://github.com/element-hq/matrix-authentication-service/commit/bce99edb6177be11f8f38c1d01f5606ce7b4b2e5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/matrix-authentication-service/commit/bce99edb6177be11f8f38c1d01f5606ce7b4b2e5"
}
],
"source": {
"advisory": "GHSA-6wfp-jq3r-j9xh",
"discovery": "UNKNOWN"
},
"title": "Matrix Authentication Service account password can be changed using an authenticated session without supplying the current password"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62425",
"datePublished": "2025-10-16T18:44:02.616Z",
"dateReserved": "2025-10-13T16:26:12.180Z",
"dateUpdated": "2025-10-16T19:34:11.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-61672 (GCVE-0-2025-61672)
Vulnerability from nvd – Published: 2025-10-08 14:55 – Updated: 2025-10-15 16:11
VLAI
EPSS
VEX
Title
Synapse: Invalid device keys degrade federation functionality
Summary
Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1287 - Improper Validation of Specified Type of Input
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/element-hq/synapse/security/ad… | x_refsource_CONFIRM |
| https://github.com/element-hq/synapse/pull/17097 | x_refsource_MISC |
| https://github.com/element-hq/synapse/commit/26aa… | x_refsource_MISC |
| https://github.com/element-hq/synapse/commit/7069… | x_refsource_MISC |
| https://github.com/element-hq/synapse/releases/ta… | x_refsource_MISC |
| https://github.com/element-hq/synapse/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | synapse |
Affected:
< 1.138.3
Affected: = 1.139.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61672",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T16:10:58.297046Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T16:11:07.284Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.138.3"
},
{
"status": "affected",
"version": "= 1.139.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287: Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-08T14:55:06.378Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr"
},
{
"name": "https://github.com/element-hq/synapse/pull/17097",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/synapse/pull/17097"
},
{
"name": "https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1"
},
{
"name": "https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740"
},
{
"name": "https://github.com/element-hq/synapse/releases/tag/v1.138.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/synapse/releases/tag/v1.138.3"
},
{
"name": "https://github.com/element-hq/synapse/releases/tag/v1.139.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/synapse/releases/tag/v1.139.1"
}
],
"source": {
"advisory": "GHSA-fh66-fcv5-jjfr",
"discovery": "UNKNOWN"
},
"title": "Synapse: Invalid device keys degrade federation functionality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61672",
"datePublished": "2025-10-08T14:55:06.378Z",
"dateReserved": "2025-09-29T20:25:16.180Z",
"dateUpdated": "2025-10-15T16:11:07.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59161 (GCVE-0-2025-59161)
Vulnerability from nvd – Published: 2025-09-16 16:44 – Updated: 2025-09-16 18:26
VLAI
EPSS
VEX
Title
In Element Web and Element Desktop, a malicious room can hide an unrelated room and cause it to be left when the malicious room is left
Summary
Element Web is a Matrix web client built using the Matrix React SDK. Element Web and Element Desktop before version 1.11.112 have insufficient validation of room predecessor links, allowing a remote attacker to attempt to impermanently replace a room's entry in the room list with an unrelated attacker-supplied room. While the effect of this is temporary, it may still confuse users into acting on incorrect assumptions. The issue has been patched and users should upgrade to 1.11.112. A reload/refresh will fix the incorrect room list state, removing the attacker's room and restoring the original room.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/element-hq/element-web/securit… | x_refsource_CONFIRM |
| https://github.com/element-hq/element-web/commit/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | element-web |
Affected:
< 1.11.112
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59161",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-16T17:29:24.810855Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T18:26:26.341Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-web",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.112"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element Web is a Matrix web client built using the Matrix React SDK. Element Web and Element Desktop before version 1.11.112 have insufficient validation of room predecessor links, allowing a remote attacker to attempt to impermanently replace a room\u0027s entry in the room list with an unrelated attacker-supplied room. While the effect of this is temporary, it may still confuse users into acting on incorrect assumptions. The issue has been patched and users should upgrade to 1.11.112. A reload/refresh will fix the incorrect room list state, removing the attacker\u0027s room and restoring the original room."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:44:15.660Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-web/security/advisories/GHSA-m6c8-98f4-75rr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-web/security/advisories/GHSA-m6c8-98f4-75rr"
},
{
"name": "https://github.com/element-hq/element-web/commit/8e9a43d70c90e6a3b110cd0a377296079e4c81f5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-web/commit/8e9a43d70c90e6a3b110cd0a377296079e4c81f5"
}
],
"source": {
"advisory": "GHSA-m6c8-98f4-75rr",
"discovery": "UNKNOWN"
},
"title": "In Element Web and Element Desktop, a malicious room can hide an unrelated room and cause it to be left when the malicious room is left"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59161",
"datePublished": "2025-09-16T16:44:15.660Z",
"dateReserved": "2025-09-09T15:23:16.327Z",
"dateUpdated": "2025-09-16T18:26:26.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27599 (GCVE-0-2025-27599)
Vulnerability from nvd – Published: 2025-04-18 15:49 – Updated: 2025-04-18 16:06
VLAI
EPSS
VEX
Title
Element X Android vulnerable to loading malicious web pages via received intent
Summary
Element X Android is a Matrix Android Client provided by element.io. Prior to version 25.04.2, a crafted hyperlink on a webpage, or a locally installed malicious app, can force Element X up to version 25.04.1 to load a webpage with similar permissions to Element Call and automatically grant it temporary access to microphone and camera. This issue has been patched in version 25.04.2.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/element-hq/element-x-android/s… | x_refsource_CONFIRM |
| https://github.com/element-hq/element-x-android/c… | x_refsource_MISC |
| https://github.com/element-hq/element-x-android/r… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | element-x-android |
Affected:
< 25.04.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27599",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-18T16:05:58.191971Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T16:06:04.952Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-x-android",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 25.04.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element X Android is a Matrix Android Client provided by element.io. Prior to version 25.04.2, a crafted hyperlink on a webpage, or a locally installed malicious app, can force Element X up to version 25.04.1 to load a webpage with similar permissions to Element Call and automatically grant it temporary access to microphone and camera. This issue has been patched in version 25.04.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-926",
"description": "CWE-926: Improper Export of Android Application Components",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T15:49:11.899Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-x-android/security/advisories/GHSA-m5px-pwq3-4p5m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-x-android/security/advisories/GHSA-m5px-pwq3-4p5m"
},
{
"name": "https://github.com/element-hq/element-x-android/commit/dc058544d7e693c04298191c1aadd5b39c9be52e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-x-android/commit/dc058544d7e693c04298191c1aadd5b39c9be52e"
},
{
"name": "https://github.com/element-hq/element-x-android/releases/tag/v25.04.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-x-android/releases/tag/v25.04.2"
}
],
"source": {
"advisory": "GHSA-m5px-pwq3-4p5m",
"discovery": "UNKNOWN"
},
"title": "Element X Android vulnerable to loading malicious web pages via received intent"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27599",
"datePublished": "2025-04-18T15:49:11.899Z",
"dateReserved": "2025-03-03T15:10:34.078Z",
"dateUpdated": "2025-04-18T16:06:04.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32026 (GCVE-0-2025-32026)
Vulnerability from nvd – Published: 2025-04-08 15:22 – Updated: 2025-04-08 20:02
VLAI
EPSS
VEX
Title
Element Web could load a malicious instance of Element Call leaking media encryption keys
Summary
Element Web is a Matrix web client built using the Matrix React SDK. Element Web, starting from version 1.11.16 up to version 1.11.96, can be configured to load Element Call from an external URL. Under certain conditions, the external page is able to get access to the media encryption keys used for an Element Call call. Version 1.11.97 fixes the problem.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/element-hq/element-web/securit… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | element-web |
Affected:
>= 1.11.16, < 1.11.97
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32026",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-08T20:02:07.589546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T20:02:20.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-web",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.11.16, \u003c 1.11.97"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element Web is a Matrix web client built using the Matrix React SDK. Element Web, starting from version 1.11.16 up to version 1.11.96, can be configured to load Element Call from an external URL. Under certain conditions, the external page is able to get access to the media encryption keys used for an Element Call call. Version 1.11.97 fixes the problem."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T15:22:54.903Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-web/security/advisories/GHSA-69q3-jg79-cg79",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-web/security/advisories/GHSA-69q3-jg79-cg79"
}
],
"source": {
"advisory": "GHSA-69q3-jg79-cg79",
"discovery": "UNKNOWN"
},
"title": "Element Web could load a malicious instance of Element Call leaking media encryption keys"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32026",
"datePublished": "2025-04-08T15:22:54.903Z",
"dateReserved": "2025-04-01T21:57:32.956Z",
"dateUpdated": "2025-04-08T20:02:20.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31127 (GCVE-0-2025-31127)
Vulnerability from nvd – Published: 2025-04-03 17:54 – Updated: 2025-04-07 18:24
VLAI
EPSS
VEX
Title
Element X Android allows the entity in control of the well-known file to break the confidentiality embedded Element Call
Summary
Element X Android is a Matrix Android Client provided by element.io. In Element X Android versions between 0.4.16 and 25.03.3, the entity in control of the element.json well-known file is able, under certain conditions, to get access to the media encryption keys used for an Element Call call. This vulnerability is fixed in 25.03.4.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/element-hq/element-x-android/s… | x_refsource_CONFIRM |
| https://github.com/element-hq/element-meta/issues/2441 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | element-x-android |
Affected:
>= 0.4.16, < 25.03.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31127",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-07T18:24:36.927877Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T18:24:45.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-x-android",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.4.16, \u003c 25.03.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element X Android is a Matrix Android Client provided by element.io. In Element X Android versions between 0.4.16 and 25.03.3, the entity in control of the element.json well-known file is able, under certain conditions, to get access to the media encryption keys used for an Element Call call. This vulnerability is fixed in 25.03.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T17:54:22.695Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-x-android/security/advisories/GHSA-x2g5-f28j-p7w6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-x-android/security/advisories/GHSA-x2g5-f28j-p7w6"
},
{
"name": "https://github.com/element-hq/element-meta/issues/2441",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-meta/issues/2441"
}
],
"source": {
"advisory": "GHSA-x2g5-f28j-p7w6",
"discovery": "UNKNOWN"
},
"title": "Element X Android allows the entity in control of the well-known file to break the confidentiality embedded Element Call"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31127",
"datePublished": "2025-04-03T17:54:22.695Z",
"dateReserved": "2025-03-26T15:04:52.626Z",
"dateUpdated": "2025-04-07T18:24:45.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31126 (GCVE-0-2025-31126)
Vulnerability from nvd – Published: 2025-04-03 17:54 – Updated: 2025-04-07 18:24
VLAI
EPSS
VEX
Title
Element X iOS allows the entity in control of the well-known file to break the confidentiality of embedded Element Call
Summary
Element X iOS is a Matrix iOS Client provided by Element. In Element X iOS version between 1.6.13 and 25.03.7, the entity in control of the element.json well-known file is able, under certain conditions, to get access to the media encryption keys used for an Element Call call. This vulnerability is fixed in 25.03.8.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/element-hq/element-x-ios/secur… | x_refsource_CONFIRM |
| https://github.com/element-hq/element-meta/issues/2441 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | element-x-ios |
Affected:
>= 1.6.13, < 25.03.8
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31126",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-07T18:23:56.839530Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T18:24:07.364Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-x-ios",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.6.13, \u003c 25.03.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element X iOS is a Matrix iOS Client provided by Element. In Element X iOS version between 1.6.13 and 25.03.7, the entity in control of the element.json well-known file is able, under certain conditions, to get access to the media encryption keys used for an Element Call call. This vulnerability is fixed in 25.03.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T17:54:27.901Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-x-ios/security/advisories/GHSA-69qf-p24v-rf8j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-x-ios/security/advisories/GHSA-69qf-p24v-rf8j"
},
{
"name": "https://github.com/element-hq/element-meta/issues/2441",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-meta/issues/2441"
}
],
"source": {
"advisory": "GHSA-69qf-p24v-rf8j",
"discovery": "UNKNOWN"
},
"title": "Element X iOS allows the entity in control of the well-known file to break the confidentiality of embedded Element Call"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31126",
"datePublished": "2025-04-03T17:54:27.901Z",
"dateReserved": "2025-03-26T15:04:52.626Z",
"dateUpdated": "2025-04-07T18:24:07.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30355 (GCVE-0-2025-30355)
Vulnerability from nvd – Published: 2025-03-27 00:59 – Updated: 2025-03-27 13:47
VLAI
EPSS
VEX
Title
Synapse vulnerable to federation denial of service via malformed events
Summary
Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/element-hq/synapse/security/ad… | x_refsource_CONFIRM |
| https://github.com/element-hq/synapse/commit/2277… | x_refsource_MISC |
| https://github.com/element-hq/synapse/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | synapse |
Affected:
< 1.127.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30355",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T13:47:41.011255Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T13:47:50.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.127.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T00:59:27.996Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6"
},
{
"name": "https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389"
},
{
"name": "https://github.com/element-hq/synapse/releases/tag/v1.127.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/synapse/releases/tag/v1.127.1"
}
],
"source": {
"advisory": "GHSA-v56r-hwv5-mxg6",
"discovery": "UNKNOWN"
},
"title": "Synapse vulnerable to federation denial of service via malformed events"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30355",
"datePublished": "2025-03-27T00:59:27.996Z",
"dateReserved": "2025-03-21T14:12:06.270Z",
"dateUpdated": "2025-03-27T13:47:50.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27606 (GCVE-0-2025-27606)
Vulnerability from nvd – Published: 2025-03-14 16:56 – Updated: 2025-03-14 18:11
VLAI
EPSS
VEX
Title
Element Android PIN autologout bypass
Summary
Element Android is an Android Matrix Client provided by Element. Element Android up to version 1.6.32 can, under certain circumstances, fail to logout the user if they input the wrong PIN more than the configured amount of times. An attacker with physical access to a device can exploit this to guess the PIN. Version 1.6.34 solves the issue.
Severity
5.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-488 - Exposure of Data Element to Wrong Session
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/element-hq/element-android/sec… | x_refsource_CONFIRM |
| https://github.com/element-hq/element-android/com… | x_refsource_MISC |
| https://github.com/element-hq/element-android/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | element-android |
Affected:
< 1.6.34
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27606",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-14T18:07:15.449909Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T18:11:03.936Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-android",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.34"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element Android is an Android Matrix Client provided by Element. Element Android up to version 1.6.32 can, under certain circumstances, fail to logout the user if they input the wrong PIN more than the configured amount of times. An attacker with physical access to a device can exploit this to guess the PIN. Version 1.6.34 solves the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-488",
"description": "CWE-488: Exposure of Data Element to Wrong Session",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T16:56:23.217Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-android/security/advisories/GHSA-632v-9pm3-m8ch",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-android/security/advisories/GHSA-632v-9pm3-m8ch"
},
{
"name": "https://github.com/element-hq/element-android/commit/53bd78b05de375c6e6b0b5aa794a56b4ba95984c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-android/commit/53bd78b05de375c6e6b0b5aa794a56b4ba95984c"
},
{
"name": "https://github.com/element-hq/element-android/commit/87d7fcdc8036a4db4da8c403f87c73a64a546304",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-android/commit/87d7fcdc8036a4db4da8c403f87c73a64a546304"
}
],
"source": {
"advisory": "GHSA-632v-9pm3-m8ch",
"discovery": "UNKNOWN"
},
"title": "Element Android PIN autologout bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27606",
"datePublished": "2025-03-14T16:56:23.217Z",
"dateReserved": "2025-03-03T15:10:34.079Z",
"dateUpdated": "2025-03-14T18:11:03.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53867 (GCVE-0-2024-53867)
Vulnerability from nvd – Published: 2024-12-03 16:52 – Updated: 2024-12-03 19:07
VLAI
EPSS
VEX
Title
Synapse Matrix has a partial room state leak via Sliding Sync
Summary
Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. This vulnerability is fixed in 1.120.1.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/element-hq/synapse/security/ad… | x_refsource_CONFIRM |
| https://github.com/matrix-org/matrix-spec-proposa… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | synapse |
Affected:
>= 1.113.0rc1, < 1.120.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53867",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T19:07:06.315341Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T19:07:19.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.113.0rc1, \u003c 1.120.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. This vulnerability is fixed in 1.120.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T16:52:01.596Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-56w4-5538-8v8h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-56w4-5538-8v8h"
},
{
"name": "https://github.com/matrix-org/matrix-spec-proposals/pull/4186",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/matrix-org/matrix-spec-proposals/pull/4186"
}
],
"source": {
"advisory": "GHSA-56w4-5538-8v8h",
"discovery": "UNKNOWN"
},
"title": "Synapse Matrix has a partial room state leak via Sliding Sync"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-53867",
"datePublished": "2024-12-03T16:52:01.596Z",
"dateReserved": "2024-11-22T17:30:02.145Z",
"dateUpdated": "2024-12-03T19:07:19.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53863 (GCVE-0-2024-53863)
Vulnerability from nvd – Published: 2024-12-03 16:48 – Updated: 2024-12-03 19:08
VLAI
EPSS
VEX
Title
Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders
Summary
Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP. This vulnerability is fixed in 1.120.1.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/element-hq/synapse/security/ad… | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | synapse |
Affected:
< 1.120.1
|
|
| element-hq | synapse |
Affected:
0 , < 1.120.1
(custom)
cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"lessThan": "1.120.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53863",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T19:07:32.536899Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T19:08:30.218Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.120.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP. This vulnerability is fixed in 1.120.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T16:48:29.722Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g"
}
],
"source": {
"advisory": "GHSA-vp6v-whfm-rv3g",
"discovery": "UNKNOWN"
},
"title": "Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-53863",
"datePublished": "2024-12-03T16:48:29.722Z",
"dateReserved": "2024-11-22T17:30:02.145Z",
"dateUpdated": "2024-12-03T19:08:30.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52815 (GCVE-0-2024-52815)
Vulnerability from nvd – Published: 2024-12-03 16:58 – Updated: 2024-12-03 19:06
VLAI
EPSS
VEX
Title
Synapse allows a a malformed invite to break the invitee's `/sync`
Summary
Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/element-hq/synapse/security/ad… | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | synapse |
Affected:
< 1.120.1
|
|
| element-hq | synapse |
Affected:
0 , < 1.120.1
(custom)
cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"lessThan": "1.120.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52815",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T19:05:32.860627Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T19:06:11.082Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.120.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user\u0027s /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T16:59:21.634Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h"
}
],
"source": {
"advisory": "GHSA-f3r3-h2mq-hx2h",
"discovery": "UNKNOWN"
},
"title": "Synapse allows a a malformed invite to break the invitee\u0027s `/sync`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52815",
"datePublished": "2024-12-03T16:58:30.877Z",
"dateReserved": "2024-11-15T17:11:13.444Z",
"dateUpdated": "2024-12-03T19:06:11.082Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52805 (GCVE-0-2024-52805)
Vulnerability from nvd – Published: 2024-12-03 17:01 – Updated: 2024-12-03 19:04
VLAI
EPSS
VEX
Title
Synapse allows unsupported content types to lead to memory exhaustion
Summary
Synapse is an open-source Matrix homeserver. In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks. Synapse 1.120.1 resolves the issue by denying requests with unsupported multipart/form-data content type.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/element-hq/synapse/security/ad… | x_refsource_CONFIRM |
| https://github.com/twisted/twisted/issues/4688#is… | x_refsource_MISC |
| https://github.com/twisted/twisted/issues/4688#is… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | synapse |
Affected:
< 1.120.1
|
|
| element-hq | synapse |
Affected:
0 , < 1.120.1
(custom)
cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"lessThan": "1.120.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52805",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T19:04:05.237385Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T19:04:44.446Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.120.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synapse is an open-source Matrix homeserver. In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks. Synapse 1.120.1 resolves the issue by denying requests with unsupported multipart/form-data content type."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T17:01:50.119Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2"
},
{
"name": "https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518"
},
{
"name": "https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609"
}
],
"source": {
"advisory": "GHSA-rfq8-j7rh-8hf2",
"discovery": "UNKNOWN"
},
"title": "Synapse allows unsupported content types to lead to memory exhaustion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52805",
"datePublished": "2024-12-03T17:01:50.119Z",
"dateReserved": "2024-11-15T17:11:13.442Z",
"dateUpdated": "2024-12-03T19:04:44.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37303 (GCVE-0-2024-37303)
Vulnerability from nvd – Published: 2024-12-03 17:06 – Updated: 2024-12-03 18:51
VLAI
EPSS
VEX
Title
Synapse unauthenticated writes to the media repository allow planting of problematic content
Summary
Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/element-hq/synapse/security/ad… | x_refsource_CONFIRM |
| https://github.com/matrix-org/matrix-spec-proposa… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | synapse |
Affected:
< 1.106
|
|
| element-hq | synapse |
Affected:
0 , < 1.106
(custom)
cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"lessThan": "1.106",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37303",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T18:49:29.668536Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T18:51:29.590Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.106"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T17:06:02.467Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr"
},
{
"name": "https://github.com/matrix-org/matrix-spec-proposals/pull/3916",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3916"
}
],
"source": {
"advisory": "GHSA-gjgr-7834-rhxr",
"discovery": "UNKNOWN"
},
"title": "Synapse unauthenticated writes to the media repository allow planting of problematic content"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37303",
"datePublished": "2024-12-03T17:06:02.467Z",
"dateReserved": "2024-06-05T20:10:46.497Z",
"dateUpdated": "2024-12-03T18:51:29.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37302 (GCVE-0-2024-37302)
Vulnerability from nvd – Published: 2024-12-03 17:04 – Updated: 2024-12-03 18:56
VLAI
EPSS
VEX
Title
Synapse denial of service through media disk space consumption
Summary
Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. Synapse 1.106 introduces a new "leaky bucket" rate limit on remote media downloads to reduce the amount of data a user can request at a time. This does not fully address the issue, but does limit an unauthenticated user's ability to request large amounts of data to be cached.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/element-hq/synapse/security/ad… | x_refsource_CONFIRM |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | synapse |
Affected:
< 1.106
|
|
| element-hq | synapse |
Affected:
0 , < 1.106
(custom)
cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"lessThan": "1.106",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37302",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T18:55:21.581964Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T18:56:17.082Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.106"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. Synapse 1.106 introduces a new \"leaky bucket\" rate limit on remote media downloads to reduce the amount of data a user can request at a time. This does not fully address the issue, but does limit an unauthenticated user\u0027s ability to request large amounts of data to be cached."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T17:04:15.839Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x"
}
],
"source": {
"advisory": "GHSA-4mhg-xv73-xq2x",
"discovery": "UNKNOWN"
},
"title": "Synapse denial of service through media disk space consumption"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-37302",
"datePublished": "2024-12-03T17:04:15.839Z",
"dateReserved": "2024-06-05T20:10:46.497Z",
"dateUpdated": "2024-12-03T18:56:17.082Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-45078 (GCVE-0-2026-45078)
Vulnerability from cvelistv5 – Published: 2026-05-28 15:52 – Updated: 2026-05-29 15:31
VLAI
EPSS
VEX
Title
Synapse CPU starvation (Denial of Service)
Summary
Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vulnerability is fixed in 1.152.1.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/element-hq/synapse/security/ad… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | synapse |
Affected:
< 1.152.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45078",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T15:31:35.828810Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T15:31:44.793Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.152.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vulnerability is fixed in 1.152.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T15:52:04.765Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g"
}
],
"source": {
"advisory": "GHSA-8q93-326v-3m7g",
"discovery": "UNKNOWN"
},
"title": "Synapse CPU starvation (Denial of Service)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45078",
"datePublished": "2026-05-28T15:52:04.765Z",
"dateReserved": "2026-05-08T18:45:10.097Z",
"dateUpdated": "2026-05-29T15:31:44.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45076 (GCVE-0-2026-45076)
Vulnerability from cvelistv5 – Published: 2026-05-28 15:50 – Updated: 2026-06-02 14:51
VLAI
EPSS
VEX
Title
Synapse pagination denial of service
Summary
Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. This vulnerability is fixed in 1.152.1.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/element-hq/synapse/security/ad… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | synapse |
Affected:
< 1.152.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45076",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T14:51:22.795858Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T14:51:34.553Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.152.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. This vulnerability is fixed in 1.152.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T15:50:25.842Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-6qf2-7x63-mm6v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-6qf2-7x63-mm6v"
}
],
"source": {
"advisory": "GHSA-6qf2-7x63-mm6v",
"discovery": "UNKNOWN"
},
"title": "Synapse pagination denial of service"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45076",
"datePublished": "2026-05-28T15:50:25.842Z",
"dateReserved": "2026-05-08T18:45:10.096Z",
"dateUpdated": "2026-06-02T14:51:34.553Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24044 (GCVE-0-2026-24044)
Vulnerability from cvelistv5 – Published: 2026-02-12 19:06 – Updated: 2026-02-12 20:05
VLAI
EPSS
VEX
Title
ESS Community Helm Chart has a weak server key generation method
Summary
Element Server Suite Community Edition (ESS Community) deploys a Matrix stack using the provided Helm charts and Kubernetes distribution. The ESS Community Helm Chart secrets initialization hook (using matrix-tools container before 0.5.7) is using an insecure Matrix server key generation method, allowing network attackers to potentially recreate the same key pair, allowing them to impersonate the victim server. The secret is generated by the secrets initialization hook, in the ESS Community Helm Chart values, if both initSecrets.enabled is not set to false and synapse.signingKey is not defined. Given a server key in Matrix authenticates both requests originating from and events constructed on a given server, this potentially impacts confidentiality, integrity and availability of rooms which have a vulnerable server present as a member. The confidentiality of past conversations in end-to-end encrypted rooms is not impacted. The key generation issue was fixed in matrix-tools 0.5.7, released as part of ESS Community Helm Chart 25.12.1.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-336 - Same Seed in Pseudo-Random Number Generator (PRNG)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/element-hq/ess-helm/security/a… | x_refsource_CONFIRM |
| https://github.com/element-hq/ess-helm/blob/main/… | x_refsource_MISC |
| https://github.com/element-hq/ess-helm/releases/t… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | ess-helm |
Affected:
< 25.12.1
|
|
| element-hq | matrix-tools |
Affected:
< 0.5.7
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24044",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-12T20:05:42.483919Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T20:05:49.862Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ess-helm",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 25.12.1"
}
]
},
{
"product": "matrix-tools",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 0.5.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element Server Suite Community Edition (ESS Community) deploys a Matrix stack using the provided Helm charts and Kubernetes distribution. The ESS Community Helm Chart secrets initialization hook (using matrix-tools container before 0.5.7) is using an insecure Matrix server key generation method, allowing network attackers to potentially recreate the same key pair, allowing them to impersonate the victim server. The secret is generated by the secrets initialization hook, in the ESS Community Helm Chart values, if both initSecrets.enabled is not set to false and synapse.signingKey is not defined. Given a server key in Matrix authenticates both requests originating from and events constructed on a given server, this potentially impacts confidentiality, integrity and availability of rooms which have a vulnerable server present as a member. The confidentiality of past conversations in end-to-end encrypted rooms is not impacted. The key generation issue was fixed in matrix-tools 0.5.7, released as part of ESS Community Helm Chart 25.12.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-336",
"description": "CWE-336: Same Seed in Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T19:06:12.998Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/ess-helm/security/advisories/GHSA-qwcj-h6m8-vp6q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/ess-helm/security/advisories/GHSA-qwcj-h6m8-vp6q"
},
{
"name": "https://github.com/element-hq/ess-helm/blob/main/docs/maintenance.md#fixing-cve-2026-24044elementsec-2025-1670-manually",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/ess-helm/blob/main/docs/maintenance.md#fixing-cve-2026-24044elementsec-2025-1670-manually"
},
{
"name": "https://github.com/element-hq/ess-helm/releases/tag/25.12.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/ess-helm/releases/tag/25.12.2"
}
],
"source": {
"advisory": "GHSA-qwcj-h6m8-vp6q",
"discovery": "UNKNOWN"
},
"title": "ESS Community Helm Chart has a weak server key generation method"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24044",
"datePublished": "2026-02-12T19:06:12.998Z",
"dateReserved": "2026-01-20T22:30:11.777Z",
"dateUpdated": "2026-02-12T20:05:49.862Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62425 (GCVE-0-2025-62425)
Vulnerability from cvelistv5 – Published: 2025-10-16 18:44 – Updated: 2025-10-16 19:34
VLAI
EPSS
VEX
Title
Matrix Authentication Service account password can be changed using an authenticated session without supplying the current password
Summary
MAS (Matrix Authentication Service) is a user management and authentication service for Matrix homeservers, written and maintained by Element. A logic flaw in matrix-authentication-service 0.20.0 through 1.4.0 allows an attacker with access to an authenticated MAS session to perform sensitive operations without entering the current password. These include changing the current password, adding or removing an e-mail address and deactivating the account. The vulnerability only affects instances which have the local password database feature enabled (passwords section in the config). Patched in matrix-authentication-service 1.4.1.
Severity
8.3 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-620 - Unverified Password Change
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/element-hq/matrix-authenticati… | x_refsource_CONFIRM |
| https://github.com/element-hq/matrix-authenticati… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | matrix-authentication-service |
Affected:
>= 0.20.0, <= 1.4.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62425",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-16T19:34:02.667856Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T19:34:11.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "matrix-authentication-service",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.20.0, \u003c= 1.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MAS (Matrix Authentication Service) is a user management and authentication service for Matrix homeservers, written and maintained by Element. A logic flaw in matrix-authentication-service 0.20.0 through 1.4.0 allows an attacker with access to an authenticated MAS session to perform sensitive operations without entering the current password. These include changing the current password, adding or removing an e-mail address and deactivating the account. The vulnerability only affects instances which have the local password database feature enabled (passwords section in the config). Patched in matrix-authentication-service 1.4.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-620",
"description": "CWE-620: Unverified Password Change",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-16T18:44:02.616Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/matrix-authentication-service/security/advisories/GHSA-6wfp-jq3r-j9xh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/matrix-authentication-service/security/advisories/GHSA-6wfp-jq3r-j9xh"
},
{
"name": "https://github.com/element-hq/matrix-authentication-service/commit/bce99edb6177be11f8f38c1d01f5606ce7b4b2e5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/matrix-authentication-service/commit/bce99edb6177be11f8f38c1d01f5606ce7b4b2e5"
}
],
"source": {
"advisory": "GHSA-6wfp-jq3r-j9xh",
"discovery": "UNKNOWN"
},
"title": "Matrix Authentication Service account password can be changed using an authenticated session without supplying the current password"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62425",
"datePublished": "2025-10-16T18:44:02.616Z",
"dateReserved": "2025-10-13T16:26:12.180Z",
"dateUpdated": "2025-10-16T19:34:11.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-61672 (GCVE-0-2025-61672)
Vulnerability from cvelistv5 – Published: 2025-10-08 14:55 – Updated: 2025-10-15 16:11
VLAI
EPSS
VEX
Title
Synapse: Invalid device keys degrade federation functionality
Summary
Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1287 - Improper Validation of Specified Type of Input
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/element-hq/synapse/security/ad… | x_refsource_CONFIRM |
| https://github.com/element-hq/synapse/pull/17097 | x_refsource_MISC |
| https://github.com/element-hq/synapse/commit/26aa… | x_refsource_MISC |
| https://github.com/element-hq/synapse/commit/7069… | x_refsource_MISC |
| https://github.com/element-hq/synapse/releases/ta… | x_refsource_MISC |
| https://github.com/element-hq/synapse/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | synapse |
Affected:
< 1.138.3
Affected: = 1.139.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61672",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T16:10:58.297046Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T16:11:07.284Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.138.3"
},
{
"status": "affected",
"version": "= 1.139.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287: Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-08T14:55:06.378Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr"
},
{
"name": "https://github.com/element-hq/synapse/pull/17097",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/synapse/pull/17097"
},
{
"name": "https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1"
},
{
"name": "https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740"
},
{
"name": "https://github.com/element-hq/synapse/releases/tag/v1.138.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/synapse/releases/tag/v1.138.3"
},
{
"name": "https://github.com/element-hq/synapse/releases/tag/v1.139.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/synapse/releases/tag/v1.139.1"
}
],
"source": {
"advisory": "GHSA-fh66-fcv5-jjfr",
"discovery": "UNKNOWN"
},
"title": "Synapse: Invalid device keys degrade federation functionality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61672",
"datePublished": "2025-10-08T14:55:06.378Z",
"dateReserved": "2025-09-29T20:25:16.180Z",
"dateUpdated": "2025-10-15T16:11:07.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59161 (GCVE-0-2025-59161)
Vulnerability from cvelistv5 – Published: 2025-09-16 16:44 – Updated: 2025-09-16 18:26
VLAI
EPSS
VEX
Title
In Element Web and Element Desktop, a malicious room can hide an unrelated room and cause it to be left when the malicious room is left
Summary
Element Web is a Matrix web client built using the Matrix React SDK. Element Web and Element Desktop before version 1.11.112 have insufficient validation of room predecessor links, allowing a remote attacker to attempt to impermanently replace a room's entry in the room list with an unrelated attacker-supplied room. While the effect of this is temporary, it may still confuse users into acting on incorrect assumptions. The issue has been patched and users should upgrade to 1.11.112. A reload/refresh will fix the incorrect room list state, removing the attacker's room and restoring the original room.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/element-hq/element-web/securit… | x_refsource_CONFIRM |
| https://github.com/element-hq/element-web/commit/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | element-web |
Affected:
< 1.11.112
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59161",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-16T17:29:24.810855Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T18:26:26.341Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-web",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.112"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element Web is a Matrix web client built using the Matrix React SDK. Element Web and Element Desktop before version 1.11.112 have insufficient validation of room predecessor links, allowing a remote attacker to attempt to impermanently replace a room\u0027s entry in the room list with an unrelated attacker-supplied room. While the effect of this is temporary, it may still confuse users into acting on incorrect assumptions. The issue has been patched and users should upgrade to 1.11.112. A reload/refresh will fix the incorrect room list state, removing the attacker\u0027s room and restoring the original room."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T16:44:15.660Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-web/security/advisories/GHSA-m6c8-98f4-75rr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-web/security/advisories/GHSA-m6c8-98f4-75rr"
},
{
"name": "https://github.com/element-hq/element-web/commit/8e9a43d70c90e6a3b110cd0a377296079e4c81f5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-web/commit/8e9a43d70c90e6a3b110cd0a377296079e4c81f5"
}
],
"source": {
"advisory": "GHSA-m6c8-98f4-75rr",
"discovery": "UNKNOWN"
},
"title": "In Element Web and Element Desktop, a malicious room can hide an unrelated room and cause it to be left when the malicious room is left"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-59161",
"datePublished": "2025-09-16T16:44:15.660Z",
"dateReserved": "2025-09-09T15:23:16.327Z",
"dateUpdated": "2025-09-16T18:26:26.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27599 (GCVE-0-2025-27599)
Vulnerability from cvelistv5 – Published: 2025-04-18 15:49 – Updated: 2025-04-18 16:06
VLAI
EPSS
VEX
Title
Element X Android vulnerable to loading malicious web pages via received intent
Summary
Element X Android is a Matrix Android Client provided by element.io. Prior to version 25.04.2, a crafted hyperlink on a webpage, or a locally installed malicious app, can force Element X up to version 25.04.1 to load a webpage with similar permissions to Element Call and automatically grant it temporary access to microphone and camera. This issue has been patched in version 25.04.2.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/element-hq/element-x-android/s… | x_refsource_CONFIRM |
| https://github.com/element-hq/element-x-android/c… | x_refsource_MISC |
| https://github.com/element-hq/element-x-android/r… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | element-x-android |
Affected:
< 25.04.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27599",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-18T16:05:58.191971Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T16:06:04.952Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-x-android",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 25.04.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element X Android is a Matrix Android Client provided by element.io. Prior to version 25.04.2, a crafted hyperlink on a webpage, or a locally installed malicious app, can force Element X up to version 25.04.1 to load a webpage with similar permissions to Element Call and automatically grant it temporary access to microphone and camera. This issue has been patched in version 25.04.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-926",
"description": "CWE-926: Improper Export of Android Application Components",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T15:49:11.899Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-x-android/security/advisories/GHSA-m5px-pwq3-4p5m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-x-android/security/advisories/GHSA-m5px-pwq3-4p5m"
},
{
"name": "https://github.com/element-hq/element-x-android/commit/dc058544d7e693c04298191c1aadd5b39c9be52e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-x-android/commit/dc058544d7e693c04298191c1aadd5b39c9be52e"
},
{
"name": "https://github.com/element-hq/element-x-android/releases/tag/v25.04.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-x-android/releases/tag/v25.04.2"
}
],
"source": {
"advisory": "GHSA-m5px-pwq3-4p5m",
"discovery": "UNKNOWN"
},
"title": "Element X Android vulnerable to loading malicious web pages via received intent"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27599",
"datePublished": "2025-04-18T15:49:11.899Z",
"dateReserved": "2025-03-03T15:10:34.078Z",
"dateUpdated": "2025-04-18T16:06:04.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32026 (GCVE-0-2025-32026)
Vulnerability from cvelistv5 – Published: 2025-04-08 15:22 – Updated: 2025-04-08 20:02
VLAI
EPSS
VEX
Title
Element Web could load a malicious instance of Element Call leaking media encryption keys
Summary
Element Web is a Matrix web client built using the Matrix React SDK. Element Web, starting from version 1.11.16 up to version 1.11.96, can be configured to load Element Call from an external URL. Under certain conditions, the external page is able to get access to the media encryption keys used for an Element Call call. Version 1.11.97 fixes the problem.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/element-hq/element-web/securit… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | element-web |
Affected:
>= 1.11.16, < 1.11.97
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32026",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-08T20:02:07.589546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T20:02:20.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-web",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.11.16, \u003c 1.11.97"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element Web is a Matrix web client built using the Matrix React SDK. Element Web, starting from version 1.11.16 up to version 1.11.96, can be configured to load Element Call from an external URL. Under certain conditions, the external page is able to get access to the media encryption keys used for an Element Call call. Version 1.11.97 fixes the problem."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T15:22:54.903Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-web/security/advisories/GHSA-69q3-jg79-cg79",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-web/security/advisories/GHSA-69q3-jg79-cg79"
}
],
"source": {
"advisory": "GHSA-69q3-jg79-cg79",
"discovery": "UNKNOWN"
},
"title": "Element Web could load a malicious instance of Element Call leaking media encryption keys"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32026",
"datePublished": "2025-04-08T15:22:54.903Z",
"dateReserved": "2025-04-01T21:57:32.956Z",
"dateUpdated": "2025-04-08T20:02:20.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31126 (GCVE-0-2025-31126)
Vulnerability from cvelistv5 – Published: 2025-04-03 17:54 – Updated: 2025-04-07 18:24
VLAI
EPSS
VEX
Title
Element X iOS allows the entity in control of the well-known file to break the confidentiality of embedded Element Call
Summary
Element X iOS is a Matrix iOS Client provided by Element. In Element X iOS version between 1.6.13 and 25.03.7, the entity in control of the element.json well-known file is able, under certain conditions, to get access to the media encryption keys used for an Element Call call. This vulnerability is fixed in 25.03.8.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/element-hq/element-x-ios/secur… | x_refsource_CONFIRM |
| https://github.com/element-hq/element-meta/issues/2441 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | element-x-ios |
Affected:
>= 1.6.13, < 25.03.8
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31126",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-07T18:23:56.839530Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T18:24:07.364Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-x-ios",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.6.13, \u003c 25.03.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element X iOS is a Matrix iOS Client provided by Element. In Element X iOS version between 1.6.13 and 25.03.7, the entity in control of the element.json well-known file is able, under certain conditions, to get access to the media encryption keys used for an Element Call call. This vulnerability is fixed in 25.03.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T17:54:27.901Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-x-ios/security/advisories/GHSA-69qf-p24v-rf8j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-x-ios/security/advisories/GHSA-69qf-p24v-rf8j"
},
{
"name": "https://github.com/element-hq/element-meta/issues/2441",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-meta/issues/2441"
}
],
"source": {
"advisory": "GHSA-69qf-p24v-rf8j",
"discovery": "UNKNOWN"
},
"title": "Element X iOS allows the entity in control of the well-known file to break the confidentiality of embedded Element Call"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31126",
"datePublished": "2025-04-03T17:54:27.901Z",
"dateReserved": "2025-03-26T15:04:52.626Z",
"dateUpdated": "2025-04-07T18:24:07.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-31127 (GCVE-0-2025-31127)
Vulnerability from cvelistv5 – Published: 2025-04-03 17:54 – Updated: 2025-04-07 18:24
VLAI
EPSS
VEX
Title
Element X Android allows the entity in control of the well-known file to break the confidentiality embedded Element Call
Summary
Element X Android is a Matrix Android Client provided by element.io. In Element X Android versions between 0.4.16 and 25.03.3, the entity in control of the element.json well-known file is able, under certain conditions, to get access to the media encryption keys used for an Element Call call. This vulnerability is fixed in 25.03.4.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/element-hq/element-x-android/s… | x_refsource_CONFIRM |
| https://github.com/element-hq/element-meta/issues/2441 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | element-x-android |
Affected:
>= 0.4.16, < 25.03.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31127",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-07T18:24:36.927877Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T18:24:45.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-x-android",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.4.16, \u003c 25.03.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element X Android is a Matrix Android Client provided by element.io. In Element X Android versions between 0.4.16 and 25.03.3, the entity in control of the element.json well-known file is able, under certain conditions, to get access to the media encryption keys used for an Element Call call. This vulnerability is fixed in 25.03.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T17:54:22.695Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-x-android/security/advisories/GHSA-x2g5-f28j-p7w6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-x-android/security/advisories/GHSA-x2g5-f28j-p7w6"
},
{
"name": "https://github.com/element-hq/element-meta/issues/2441",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-meta/issues/2441"
}
],
"source": {
"advisory": "GHSA-x2g5-f28j-p7w6",
"discovery": "UNKNOWN"
},
"title": "Element X Android allows the entity in control of the well-known file to break the confidentiality embedded Element Call"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31127",
"datePublished": "2025-04-03T17:54:22.695Z",
"dateReserved": "2025-03-26T15:04:52.626Z",
"dateUpdated": "2025-04-07T18:24:45.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30355 (GCVE-0-2025-30355)
Vulnerability from cvelistv5 – Published: 2025-03-27 00:59 – Updated: 2025-03-27 13:47
VLAI
EPSS
VEX
Title
Synapse vulnerable to federation denial of service via malformed events
Summary
Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/element-hq/synapse/security/ad… | x_refsource_CONFIRM |
| https://github.com/element-hq/synapse/commit/2277… | x_refsource_MISC |
| https://github.com/element-hq/synapse/releases/ta… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | synapse |
Affected:
< 1.127.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30355",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T13:47:41.011255Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T13:47:50.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "synapse",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.127.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T00:59:27.996Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6"
},
{
"name": "https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389"
},
{
"name": "https://github.com/element-hq/synapse/releases/tag/v1.127.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/synapse/releases/tag/v1.127.1"
}
],
"source": {
"advisory": "GHSA-v56r-hwv5-mxg6",
"discovery": "UNKNOWN"
},
"title": "Synapse vulnerable to federation denial of service via malformed events"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30355",
"datePublished": "2025-03-27T00:59:27.996Z",
"dateReserved": "2025-03-21T14:12:06.270Z",
"dateUpdated": "2025-03-27T13:47:50.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27606 (GCVE-0-2025-27606)
Vulnerability from cvelistv5 – Published: 2025-03-14 16:56 – Updated: 2025-03-14 18:11
VLAI
EPSS
VEX
Title
Element Android PIN autologout bypass
Summary
Element Android is an Android Matrix Client provided by Element. Element Android up to version 1.6.32 can, under certain circumstances, fail to logout the user if they input the wrong PIN more than the configured amount of times. An attacker with physical access to a device can exploit this to guess the PIN. Version 1.6.34 solves the issue.
Severity
5.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-488 - Exposure of Data Element to Wrong Session
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/element-hq/element-android/sec… | x_refsource_CONFIRM |
| https://github.com/element-hq/element-android/com… | x_refsource_MISC |
| https://github.com/element-hq/element-android/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| element-hq | element-android |
Affected:
< 1.6.34
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27606",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-14T18:07:15.449909Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T18:11:03.936Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "element-android",
"vendor": "element-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.34"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Element Android is an Android Matrix Client provided by Element. Element Android up to version 1.6.32 can, under certain circumstances, fail to logout the user if they input the wrong PIN more than the configured amount of times. An attacker with physical access to a device can exploit this to guess the PIN. Version 1.6.34 solves the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-488",
"description": "CWE-488: Exposure of Data Element to Wrong Session",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T16:56:23.217Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/element-hq/element-android/security/advisories/GHSA-632v-9pm3-m8ch",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/element-hq/element-android/security/advisories/GHSA-632v-9pm3-m8ch"
},
{
"name": "https://github.com/element-hq/element-android/commit/53bd78b05de375c6e6b0b5aa794a56b4ba95984c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-android/commit/53bd78b05de375c6e6b0b5aa794a56b4ba95984c"
},
{
"name": "https://github.com/element-hq/element-android/commit/87d7fcdc8036a4db4da8c403f87c73a64a546304",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/element-hq/element-android/commit/87d7fcdc8036a4db4da8c403f87c73a64a546304"
}
],
"source": {
"advisory": "GHSA-632v-9pm3-m8ch",
"discovery": "UNKNOWN"
},
"title": "Element Android PIN autologout bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27606",
"datePublished": "2025-03-14T16:56:23.217Z",
"dateReserved": "2025-03-03T15:10:34.079Z",
"dateUpdated": "2025-03-14T18:11:03.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}