CVE-2025-48937: 
Rust vulnerability analysis and mitigation

CVE-2025-48937 affects matrix-rust-sdk, an implementation of a Matrix client-server library in Rust. The vulnerability exists in matrix-sdk-crypto versions from 0.8.0 up to 0.11.0, where the software does not correctly validate the sender of an encrypted event. The issue was discovered and disclosed on June 10, 2025, and has been fixed in versions 0.11.1 and 0.12.0 (Matrix Advisory).

The vulnerability stems from a failure to properly validate event senders in encrypted communications. The Matrix specification requires clients to ensure that 'the event's sender, roomid, and the recorded sessionid match a trusted session.' While the vulnerable versions check the roomid against the session denoted by sessionid, they fail to verify the sender. The vulnerability has been assigned a CVSS v3.1 score of 4.9 (MEDIUM) with the vector string AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N (Matrix Advisory).

A malicious homeserver operator can exploit this vulnerability to modify events served to clients, making those events appear to recipients as if they were sent by another user. Despite the MEDIUM CVSS score, this is considered a HIGH severity security issue due to its potential for identity spoofing in encrypted communications (Matrix Advisory).

The vulnerability has been patched in matrix-sdk-crypto versions 0.11.1 and 0.12.0. The fix was implemented in commit 13c1d20, which adds proper validation of event senders. Users should upgrade to these patched versions to protect against this vulnerability (Matrix Advisory).