Matrix-js-sDK, Insufficient Validation Vulnerability, CVE-2025-43848 (Low)

Listen to this Post

The vulnerability exists within the `MatrixClient::getJoinedRooms()` method of the matrix-js-sDK. When a room is tombstoned (marked for upgrade), it contains a link (m.room.predecessor) to its replacement room. The SDK insufficiently validated these predecessor links. An attacker could create a malicious room and craft a predecessor event in a tombstoned room that points to it. When `getJoinedRooms()` is called, it would incorrectly consider the malicious, attacker-supplied room as the legitimate upgraded successor of the tombstoned room instead of performing proper validation to ensure the new room was created from a legitimate upgrade event.
Platform: matrix-js-sDK
Version: <38.2.0
Vulnerability: Insufficient Validation
Severity: Low

date: 2025-09-16

Prediction: Patch Available

What Undercode Say:

`MatrixClient::getJoinedRooms()`

`m.room.predecessor`

`getRooms()`

How Exploit:

Malicious predecessor event.

Room replacement attack.

Protection from this CVE

Upgrade to v38.2.0.

Use `getRooms()` instead.

Impact:

Unauthorized room replacement.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top