Matrix Rust SDK
by Matrix Org
Source repositories
CVEs (10)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-34353 | Med | 0.29 | 5.5 | 0.00 | May 14, 2024 | The matrix-sdk-crypto crate, part of the Matrix Rust SDK project, is an implementation of a Matrix end-to-end encryption state machine in Rust. In Matrix, the server-side `key backup` stores encrypted copies of Matrix message keys. This facilitates key sharing between a user's… | ||
| CVE-2024-40648 | Med | 0.28 | 5.4 | 0.00 | Jul 18, 2024 | matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. The `UserIdentity::is_verified()` method in the matrix-sdk-crypto crate before version 0.7.2 doesn't take into account the verification status of the user's own identity while performing the check… | ||
| CVE-2025-53549 | Med | 0.27 | — | 0.00 | Jul 10, 2025 | The Matrix Rust SDK is a collection of libraries that make it easier to build Matrix clients in Rust. An SQL injection vulnerability in the EventCache::find_event_with_relations method of matrix-sdk 0.11 and 0.12 allows malicious room members to execute arbitrary SQL commands in… | ||
| CVE-2025-48937 | Med | 0.25 | 4.9 | 0.00 | Jun 10, 2025 | matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. matrix-sdk-crypto since version 0.8.0 and up to 0.11.0 does not correctly validate the sender of an encrypted event. Accordingly, a malicious homeserver operator can modify events served to clients,… | ||
| CVE-2024-52813 | Med | 0.21 | 4.3 | 0.00 | Jan 7, 2025 | matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. Versions of the matrix-sdk-crypto Rust crate before 0.8.0 lack a dedicated mechanism to notify that a user's cryptographic identity has changed from a verified to an unverified one, which could cause… | ||
| CVE-2025-59047 | Low | 0.11 | — | 0.00 | Sep 11, 2025 | matrix-sdk-base is the base component to build a Matrix client library. In matrix-sdk-base before 0.14.1, calling the `RoomMember::normalized_power_level()` method can cause a panic if a room member has a power level of `Int::Min`. The issue is fixed in matrix-sdk-base 0.14.1.… | ||
| CVE-2026-45057 | 0.00 | — | 0.00 | Jun 4, 2026 | ### Impact The message edit validation logic in the `matrix-sdk-ui` crate before 0.16.1 is missing a check: when replacing an encrypted event, the replacement event itself is not required to be encrypted. This enables a malicious homeserver administrator (or an actor with… | |||
| CVE-2026-45056 | 0.00 | — | 0.00 | Jun 4, 2026 | ### Impact The `matrix-sdk-crypto` crate before 0.16.1 is missing a check for the sender's user ID when decrypting an Olm-encrypted to-device message containing the `sender_device_keys` property. This could be exploited to spoof the sender of an encrypted to-device message,… | |||
| CVE-2025-66622 | 0.00 | — | 0.00 | Dec 9, 2025 | matrix-sdk-base is the base component to build a Matrix client library. Versions 0.14.1 and prior are unable to handle responses that include custom m.room.join_rules values due to a serialization bug. This can be exploited to cause a denial-of-service condition, if a user is… | |||
| CVE-2022-39252 | 0.00 | — | 0.00 | Sep 29, 2022 | matrix-rust-sdk is an implementation of a Matrix client-server library in Rust, and matrix-sdk-crypto is the Matrix encryption library. Prior to version 0.6, when a user requests a room key from their devices, the software correctly remembers the request. When the user receives… |
- risk 0.29cvss 5.5epss 0.00
The matrix-sdk-crypto crate, part of the Matrix Rust SDK project, is an implementation of a Matrix end-to-end encryption state machine in Rust. In Matrix, the server-side `key backup` stores encrypted copies of Matrix message keys. This facilitates key sharing between a user's…
- risk 0.28cvss 5.4epss 0.00
matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. The `UserIdentity::is_verified()` method in the matrix-sdk-crypto crate before version 0.7.2 doesn't take into account the verification status of the user's own identity while performing the check…
- risk 0.27cvss —epss 0.00
The Matrix Rust SDK is a collection of libraries that make it easier to build Matrix clients in Rust. An SQL injection vulnerability in the EventCache::find_event_with_relations method of matrix-sdk 0.11 and 0.12 allows malicious room members to execute arbitrary SQL commands in…
- risk 0.25cvss 4.9epss 0.00
matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. matrix-sdk-crypto since version 0.8.0 and up to 0.11.0 does not correctly validate the sender of an encrypted event. Accordingly, a malicious homeserver operator can modify events served to clients,…
- risk 0.21cvss 4.3epss 0.00
matrix-rust-sdk is an implementation of a Matrix client-server library in Rust. Versions of the matrix-sdk-crypto Rust crate before 0.8.0 lack a dedicated mechanism to notify that a user's cryptographic identity has changed from a verified to an unverified one, which could cause…
- risk 0.11cvss —epss 0.00
matrix-sdk-base is the base component to build a Matrix client library. In matrix-sdk-base before 0.14.1, calling the `RoomMember::normalized_power_level()` method can cause a panic if a room member has a power level of `Int::Min`. The issue is fixed in matrix-sdk-base 0.14.1.…
- CVE-2026-45057Jun 4, 2026risk 0.00cvss —epss 0.00
### Impact The message edit validation logic in the `matrix-sdk-ui` crate before 0.16.1 is missing a check: when replacing an encrypted event, the replacement event itself is not required to be encrypted. This enables a malicious homeserver administrator (or an actor with…
- CVE-2026-45056Jun 4, 2026risk 0.00cvss —epss 0.00
### Impact The `matrix-sdk-crypto` crate before 0.16.1 is missing a check for the sender's user ID when decrypting an Olm-encrypted to-device message containing the `sender_device_keys` property. This could be exploited to spoof the sender of an encrypted to-device message,…
- CVE-2025-66622Dec 9, 2025risk 0.00cvss —epss 0.00
matrix-sdk-base is the base component to build a Matrix client library. Versions 0.14.1 and prior are unable to handle responses that include custom m.room.join_rules values due to a serialization bug. This can be exploited to cause a denial-of-service condition, if a user is…
- CVE-2022-39252Sep 29, 2022risk 0.00cvss —epss 0.00
matrix-rust-sdk is an implementation of a Matrix client-server library in Rust, and matrix-sdk-crypto is the Matrix encryption library. Prior to version 0.6, when a user requests a room key from their devices, the software correctly remembers the request. When the user receives…