VYPR
Get started
← All advisories
Low severityOSV Advisory· Published Sep 11, 2025· Updated Apr 15, 2026

CVE-2025-59047

CVE-2025-59047

Description

matrix-sdk-base is the base component to build a Matrix client library. In matrix-sdk-base before 0.14.1, calling the RoomMember::normalized_power_level() method can cause a panic if a room member has a power level of Int::Min. The issue is fixed in matrix-sdk-base 0.14.1. The affected method isn’t used internally, so avoiding calling RoomMember::normalized_power_level() prevents the panic.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
matrix-sdk-basecrates.io
< 0.14.10.14.1

Affected products

1

Patches

2
5ef3ecac8c63

chore: Allow the adler crate despite it being unmaintained

https://github.com/matrix-org/matrix-rust-sdkDamir JelićSep 5, 2025via osv
commit
1 file changed · +1 0
  • .deny.toml+1 0 modified
    @@ -10,6 +10,7 @@ exclude = [
 version = 2
 ignore = [
     { id = "RUSTSEC-2024-0436", reason = "Unmaintained paste crate, not critical." },
+    { id = "RUSTSEC-2025-0056", reason = "Unmaintained adler crate, not a direct dependency" },
 ]
 
 [licenses]
ce3b67f80144

Update bindings/matrix-sdk-ffi/CHANGELOG.md

https://github.com/matrix-org/matrix-rust-sdkDamir JelićSep 9, 2025via ghsa
commit
1 file changed · +1 1
  • bindings/matrix-sdk-ffi/CHANGELOG.md+1 1 modified
    @@ -8,7 +8,7 @@ All notable changes to this project will be documented in this file.
 
 ### Breaking changes:
 
-- The `normalized_power_level` field has been removed from the RoomMember
+- The `normalized_power_level` field has been removed from the `RoomMember`
   struct.
   ([#5635](https://github.com/matrix-org/matrix-rust-sdk/pull/5635))

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.