CVE-2025-59047: 
Rust vulnerability analysis and mitigation

CVE-2025-59047 affects matrix-sdk-base, a base component used to build Matrix client libraries. The vulnerability was discovered and disclosed on September 11, 2025, affecting versions before 0.14.1. The issue occurs when calling the RoomMember::normalized_power_level() method, which can cause a panic if a room member has a power level of Int::Min (GitHub Advisory).

The vulnerability is classified as CWE-682 (Incorrect Calculation) and has been assigned a CVSS v4.0 Base Score of 2.7 (Low) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N. The core issue lies in the integer overflow during power level normalization calculation, specifically when the input power_level is Int::MIN, multiplying it by 100 causes an overflow, and the subsequent attempt to convert this value back to a ruma::Int triggers a panic (Miggo).

The vulnerability only affects the availability of the system through a potential panic in the application. The CVSS scoring indicates no impact on confidentiality (VC:N) or integrity (VI:N), with a low impact on availability (VA:L) (GitHub Advisory).

The vulnerability has been fixed in matrix-sdk-base version 0.14.1. For users unable to update immediately, a workaround exists as the affected method isn't used internally - avoiding calls to RoomMember::normalized_power_level() prevents the panic (GitHub Advisory).