Matrix chat platform acknowledges existence of two serious vulnerabilities in its protocols, requiring significant correction measures
High-Severity Protocol Vulnerabilities Discovered in Matrix Messaging Protocol
Two high-severity vulnerabilities have been identified in the Matrix messaging protocol, primarily affecting its state resolution algorithm. These flaws could potentially allow malicious actors to manipulate room states, potentially leading to hijacking of classified discussion spaces or the gaining of elevated permissions.
The first vulnerability, tracked as CVE-2025-49090, has been identified, while the second one is yet to be assigned a CVE ID but is equally severe. If exploited, these issues could have catastrophic impacts, especially considering Matrix's widespread use by governments and enterprises for secure communications.
As part of a coordinated security project called Hydra, the Matrix Foundation and the Element team developed fixes for these vulnerabilities under embargo. The patch includes an off-cycle security update, released on August 11, 2025, which brings room version 12 with significant protocol-level hardening.
Updates to all major Matrix server implementations, such as Synapse, Dendrite, Conduit, ejabberd, Rocket.Chat, and others, have also been released to address these vulnerabilities.
What Users Need to Do
Open federation servers should apply the update immediately due to their exposure to untrusted servers. Servers in restricted federation environments must update, especially if communicating with untrusted partners. Single-instance, unfederated homeservers have no urgent need for immediate updates.
Room and community admins hosting federated spaces with untrusted servers are advised to upgrade to room version 12 once client and server compatibility is confirmed. The Matrix Foundation plans to transition its own public rooms to room version 12 by September 2025 to allow for adoption time.
This is a normal security update, coordinated for smooth interoperability among Matrix implementations. The latest version of Matrix requires support for "Room Version 12" to protect against undisclosed attack vulnerabilities. The matrix.org homeserver will move to Room Version 12 in September. The vulnerabilities have been addressed in the latest version of Matrix.
Matthew Hodgson, CEO of Element, has stated that these are not critical vulnerabilities and have not been seen being exploited in the wild. However, prompt updates are necessary to prevent potential exploitation. It's worth noting that Hodgson has been critical of rival chat platforms, particularly Telegram following its chief's arrest in France last year, and Elon Musk's XChat, which he describes as "just another centralized platform where users have zero control over their data." The details of the vulnerabilities will be explained in a full blog post to be published on August 14.
Read also:
- Senators pressure nominated leader of CISA on election security concerns, focus of agency highlighted
- Digital passwords come under pressure as major tech companies move towards strengthened security measures
- Blockaid's security services now integrated into D'CENT Wallet, enhancing Web3's safety measures.
- Osteoporosis: Factors Influencing Risk, Identification Methods, and Medical Interventions
