CVE-2022-39264 HIGH

CVE-2022-39264: nheko vulnerable to secret poisoning using MITM on secret requests by the homeserver

Vendor Nheko-Reborn
Product nheko
Weakness CWE-295
Published September 28, 2022
Last update April 23, 2025

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

What the vulnerability does

01Description

nheko is a desktop client for the Matrix communication application. All versions below 0.10.2 are vulnerable homeservers inserting malicious secrets, which could lead to man-in-the-middle attacks. Users can upgrade to version 0.10.2 to protect against this issue. As a workaround, one may apply the patch manually, avoid doing verifications of one's own devices, and/or avoid pressing the request button in the settings menu.

Key dates

02Disclosure timeline

September 28, 2022 CVE published
April 23, 2025 Record updated