CVE-2025-66622 LOW

CVE-2025-66622: matrix-sdk-base is vulnerable to DoS via custom m.room.join_rules event values

Vendor Matrix-Org
Product matrix-rust-sdk
Weakness CWE-755
Published December 9, 2025
Last update December 9, 2025

CVSS base score

1.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

matrix-sdk-base is the base component to build a Matrix client library. Versions 0.14.1 and prior are unable to handle responses that include custom m.room.join_rules values due to a serialization bug. This can be exploited to cause a denial-of-service condition, if a user is invited to a room with non-standard join rules, the crate's sync process will stall, preventing further processing for all rooms. This is fixed in version 0.16.0.

Key dates

02Disclosure timeline

December 9, 2025 CVE published
December 9, 2025 Record updated