CVE-2025-68667

216.73.216.6

· Published 23/12/2025 23:15 · Modified 23/12/2025 23:15

Labels: CVE-2025-68667 2025-12-23 CVE-2025-68667 CWE-20 [email protected]

Essential information

Published: 23/12/2025 23:15
Modified: 23/12/2025 23:15
Author: —
Creator: —
CVSS: 9.9 CRITICAL (v3) 9.9 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

continuwuity is a Matrix homeserver written in Rust. Prior to version 0.5.0, this vulnerability allows a remote, unauthenticated attacker to force the target server to cryptographically sign arbitrary membership events. The flaw exists because the server fails to validate the origin of a signing request, provided the event's state_key is a valid user ID belonging to the target server. This issue has been patched in version 0.5.0. A workaround for this issue involves blocking access to the PUT /_matrix/federation/v2/invite/{roomId}/{eventId} endpoint using the reverse proxy.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
continuwuity / homeserver	`cpe:2.3:a:continuwuity:homeserver::::::::`