RUSTSEC-2025-0043: 
Rust vulnerability analysis and mitigation

A SQL injection vulnerability was identified in the Matrix Rust SDK (matrix-sdk) versions 0.11 and 0.12, specifically in the EventCache::find_event_with_relations method. The vulnerability was assigned CVE-2025-53549 and was disclosed on July 10, 2025. This security flaw affects the default sqlite-based store backend of the Matrix Rust SDK (GitHub Advisory).

The vulnerability exists in the EventCache::find_event_with_relations method, where malicious room members could potentially execute arbitrary SQL commands when relation types are directly passed into this method without proper sanitization. The issue specifically affects the default sqlite-based store backend implementation (GitHub Advisory).

The impact of this vulnerability is considered moderate. However, the actual exploitation risk is deemed unlikely as no known Matrix clients currently implement the API in a way that would make them vulnerable to this attack vector (GitHub Advisory).

Two mitigation options are available: 1) Upgrade to matrix-sdk version 0.13 or later, which contains the fix for this vulnerability, or 2) As a workaround, ensure that only trusted or properly sanitized relation types are passed to the filter argument of EventCache::find_event_with_relations(). The issue was originally introduced in PR #4849 and has been patched in version 0.13 (GitHub Advisory).