CVE 9.9 CRITICAL

continuwuity Has an Unintended Proxy or Intermediary and Improper Input Validation_CVE-2025-68667

December 23, 2025 invoker category_cve
9.9 / 10
CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:L

Description

continuwuity is a Matrix homeserver written in Rust. Prior to version 0.5.0, this vulnerability allows a remote, unauthenticated attacker to force the target server to cryptographically sign arbitrary membership events. The flaw exists because the server fails to validate the origin of a signing request, provided the event's state_key is a valid user ID belonging to the target server. This issue has been patched in version 0.5.0. A workaround for this issue involves blocking access to the PUT /_matrix/federation/v2/invite/{roomId}/{eventId} endpoint using the reverse proxy.

AI Analysis

A remote, unauthenticated attacker can force the target server to cryptographically sign arbitrary membership events due to the server's failure to validate the origin of a signing request.

Basic Information

ID CVE-2025-68667
Source GitHub_M
Published Dec 23, 2025 at 22:45

Affected Product

Vendor continuwuity
Product continuwuity
Version < 0.5.0
Affected Versions continuwuity continuwuity < 0.5.0

CWE Classification

CWE-20 CWE-441

AI Assessment

AI Score 9.9 / 10
AI Severity Critical
Vendor continuwuity
Product continuwuity
Version < 0.5.0

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.