CVE-2025-53549 – matrix-sdk-sqlite

Package

Manager: cargo
Name: matrix-sdk-sqlite
Vulnerable Version: >=0.11.0 <0.13.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

EPSS: 0.00039 pctl0.10469

Details

Matrix Rust SDK vulnerable to SQL Injection through its EventCache implementation An SQL injection vulnerability in the `EventCache::find_event_with_relations` method of matrix-sdk 0.11 and 0.12 allows malicious room members to execute arbitrary SQL commands in Matrix clients that directly pass relation types provided by those room members into this method, when used with the default sqlite-based store backend. Exploitation is unlikely, as no known clients currently use the API in this manner. ### Workarounds Passing only trusted (or sanitised) relation types to the `filter` argument of `EventCache::find_event_with_relations()` avoids the issue. ### Patches The issue is fixed in matrix-sdk 0.13. ### References The issue was introduced in https://github.com/matrix-org/matrix-rust-sdk/pull/4849.

Metadata

Created: 2025-07-10T17:41:16Z
Modified: 2025-07-11T20:45:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-275g-g844-73jh/GHSA-275g-g844-73jh.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-275g-g844-73jh
Finding: F106
Auto approve: 1