CVE-2025-31127

The vulnerability stems from the feature that allows configuring the Element Call widget URL via the .well-known/element/element.json file, introduced in Element X Android versions 0.4.16 to 25.03.3 [1]. An attacker who controls this well-known file can potentially manipulate the widget URL to gain access to media encryption keys used during an Element Call [2].

To exploit this, the attacker must be able to control the well-known file for the user's homeserver domain. The attack requires no authentication and can be performed over the network when the app retrieves the well-known file during call setup [2]. The entity in control of the well-known file can intercept or redirect the call widget, leading to exposure of encryption keys.

The impact is a breach of confidentiality for Element Call communications, as the attacker could decrypt media streams [2]. The CVSS score of 5.3 (Medium) reflects limited confidentiality impact, but the advisory notes this as high severity due to the ease of exploitation under certain conditions [2].

Users are advised to update to Element X Android version 25.03.4 or later, which fixes the issue [2]. For deployments where the entire infrastructure is controlled by a single organization, the risk is reduced [2].