Low severityOSV Advisory· Published Sep 16, 2025· Updated Apr 15, 2026
CVE-2025-59161
CVE-2025-59161
Description
Element Web is a Matrix web client built using the Matrix React SDK. Element Web and Element Desktop before version 1.11.112 have insufficient validation of room predecessor links, allowing a remote attacker to attempt to impermanently replace a room's entry in the room list with an unrelated attacker-supplied room. While the effect of this is temporary, it may still confuse users into acting on incorrect assumptions. The issue has been patched and users should upgrade to 1.11.112. A reload/refresh will fix the incorrect room list state, removing the attacker's room and restoring the original room.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
5no-media-devices-release, v0.1.2, v0.10.0, …+ 1 more
- (no CPE)range: no-media-devices-release, v0.1.2, v0.10.0, …
- (no CPE)range: <1.11.112
- Range: <1.11.112
- osv-coords2 versionspkg:rpm/opensuse/element-desktop&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/element-web&distro=openSUSE%20Tumbleweed
< 1.11.112-1.1+ 1 more
- (no CPE)range: < 1.11.112-1.1
- (no CPE)range: < 1.11.112-1.1
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.