Safety vulnerability ID: 51289
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Matrix-nio 0.20 includes a fix for CVE-2022-39254: Prior to version 0.20, when a user requests a room key from their devices, the software correctly remember the request. Once they receive a forwarded room key, they accept it without checking who the room key came from. This allows homeservers to try to insert room keys of questionable validity, potentially mounting an impersonation attack.
Latest version: 0.25.2
A Python Matrix client library, designed according to sans I/O principles.
matrix-nio is a Python Matrix client library, designed according to sans I/O principles. Prior to version 0.20, when a users requests a room key from their devices, the software correctly remember the request. Once they receive a forwarded room key, they accept it without checking who the room key came from. This allows homeservers to try to insert room keys of questionable validity, potentially mounting an impersonation attack. Version 0.20 fixes the issue. See CVE-2022-39254.
CONFIRM:https://github.com/poljar/matrix-nio/security/advisories/GHSA-w4pr-4vjg-hffh: https://github.com/poljar/matrix-nio/security/advisories/GHSA-w4pr-4vjg-hffh
MISC:https://github.com/poljar/matrix-nio/commit/b1cbf234a831daa160673defd596e6450e9c29f0: https://github.com/poljar/matrix-nio/commit/b1cbf234a831daa160673defd596e6450e9c29f0
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application