Vulnerability DatabaseCVE-2022-39254

CVE-2022-39254:
Python vulnerability analysis and mitigation

Overview

matrix-nio, a Python Matrix client library designed according to sans I/O principles, was found to contain a security vulnerability (CVE-2022-39254) affecting versions prior to 0.20. The vulnerability was disclosed on September 29, 2022, and impacts the room key request functionality of the library (GitHub Advisory).

Technical details

The vulnerability exists in the room key request mechanism where the software correctly remembers the request but fails to verify the source of the forwarded room key. When users request a room key from their devices, the library accepts the forwarded key without properly validating who sent it. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (NVD).

Impact

The vulnerability could allow malicious homeservers to insert room keys of questionable validity into the key store, potentially enabling impersonation attacks. This compromises the integrity of the key management system and could lead to unauthorized access to encrypted communications (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been fixed in matrix-nio version 0.20. Users should upgrade to this version or later to address the security issue. The fix implements proper validation to ensure forwarded room keys are only accepted from trusted devices that were originally requested (GitHub Advisory).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer? See which CVEs are exploitable in your environment.

Get a CVE Assessment

6.5

Score

Published September 29, 2022

Severity MEDIUM

CNA Score 8.6

Affected Technologies

Python
Linux Debian

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 51.2

Exploitation Probability (EPSS) 0.3

Affected packages and libraries

python-matrix-nio
matrix-nio

Sources

NVD
Debian Security Tracker
- Debian 12 Severity MEDIUMHas FixAdded at: Oct 01, 2022
- Debian 13 Severity MEDIUMHas FixAdded at: Jun 11, 2023
- Debian 14 Severity MEDIUMHas FixAdded at: Aug 10, 2025
Echo
- Echo Severity MEDIUMHas FixAdded at: Nov 18, 2025
GitHub Advisory Database
- pip Severity HIGHHas FixAdded at: Oct 01, 2022

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Python vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-66423	HIGH	7.1	Python	tryton-server	No	Yes	Nov 30, 2025
CVE-2025-66454	MEDIUM	6.5	Python	arcade-mcp-server	No	Yes	Dec 02, 2025
CVE-2025-66424	MEDIUM	6.5	Python	trytond	No	Yes	Nov 30, 2025
CVE-2025-66422	MEDIUM	4.3	Python	tryton-server	No	Yes	Nov 30, 2025
CVE-2025-65858	LOW	3.5	Python	calibreweb	No	No	Dec 02, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2022-39254: Python vulnerability analysis and mitigation