CVE-2025-31126

Root

Cause

Element X iOS versions 1.6.13 through 25.03.7 fetch Element Call widget URL configuration from a .well-known/element/element.json file hosted on the user's homeserver domain [1]. The feature was introduced to allow homeserver administrators to point the client to a custom Element Call widget URL, enabling operation within restricted or self-hosted infrastructures [1]. However, the client does not verify that the provided URL is legitimate, which creates an attack surface.

Exploitation

An attacker who controls the homeserver (or compromises the .well-known hosting) can supply a malicious widget_url in the element.json file [1]. When a user initiates an Element Call, the client loads the widget from the attacker-controlled URL. The attacker can then serve a modified widget that captures the media encryption keys used for the call [2]. The attack requires network-level control over the .well-known endpoint; no user interaction is needed beyond normal call usage, and authentication is not bypassed because the attacker already controls the homeserver's identity.

Impact

Under these conditions, the attacker obtains the encryption keys for the call media, allowing them to decrypt audio, video, or screen-share streams [2]. The CVSS v3 base score is 5.3 (Medium), but the vendor considers this High severity due to the direct compromise of end-to-end encryption guarantees [2]. Deployments where the homeserver and client are under the same administrative control are less exposed.

Mitigation

The vulnerability is fixed in Element X iOS version 25.03.8 [2]. Users should update to the latest version. There is no workaround for deployments that trust external homeservers; organizations running fully controlled infrastructure are inherently less at risk [2].