CVE-2025-68667
📋 TL;DR
This vulnerability allows remote unauthenticated attackers to forge membership events on vulnerable Matrix homeservers, enabling them to forcibly remove users from rooms, join private rooms, or ban users. Affected products include Conduit, continuwuity, Grapevine, and tuwunel servers running vulnerable versions.
💻 Affected Systems
- Conduit
- continuwuity
- Grapevine
- tuwunel
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of private rooms through unauthorized access, removal of all users (including admins and bots) from critical rooms, and disruption of room protections and policy enforcement.
Likely Case
Unauthorized access to private rooms and targeted removal of users from rooms, leading to data exposure and denial of service.
If Mitigated
Limited impact if workarounds are implemented, but still vulnerable to determined attackers until patched.
🎯 Exploit Status
Exploitation requires network access to the vulnerable endpoint but no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Conduit 0.10.10, continuwuity 0.5.0, Grapevine commit 9a50c244, tuwunel 1.4.8
Vendor Advisory: https://github.com/continuwuity/continuwuity/security/advisories/GHSA-22fw-4jq7-g8r8
Restart Required: Yes
Instructions:
1. Identify your homeserver software and version. 2. Update to the patched version using your package manager or build from source. 3. Restart the homeserver service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Block vulnerable endpoint
allBlock access to the vulnerable PUT /_matrix/federation/v2/invite/{roomId}/{eventId} endpoint using a reverse proxy.
# Example nginx configuration to block the endpoint
location ~ ^/_matrix/federation/v2/invite/ {
deny all;
return 403;
}
🧯 If You Can't Patch
- Implement the reverse proxy workaround to block the vulnerable endpoint.
- Isolate vulnerable servers from untrusted networks and limit federation to trusted servers only.
🔍 How to Verify
Check if Vulnerable:
Check your homeserver version against affected versions. If running Conduit < 0.10.10, continuwuity < 0.5.0, Grapevine prior to commit 9a50c244, or tuwunel < 1.4.8, you are vulnerable.Check Version:
# For Conduit: conduit --version
# For other servers, check their documentation for version commandsVerify Fix Applied:
Confirm your homeserver version matches or exceeds the patched version. Test that the vulnerable endpoint is no longer accessible or properly validates requests.📡 Detection & Monitoring
Log Indicators:
- Unusual membership events (leave, invite, ban) from unexpected sources
- Failed validation errors for membership events
- High volume of requests to the vulnerable endpoint
Network Indicators:
- Unusual traffic patterns to PUT /_matrix/federation/v2/invite/ endpoint
- Requests to this endpoint from untrusted IPs
SIEM Query:
Example: search for 'PUT /_matrix/federation/v2/invite/' in web server logs with status codes 200 or 403🔗 References
- https://forgejo.ellis.link/continuwuation/continuwuity/commit/7fa4fa98628593c1a963f5aa8dbc3657d604b047
- https://forgejo.ellis.link/continuwuation/continuwuity/commit/b2bead67ac8bc45de9a612578f295e5b7fc6c2b5
- https://github.com/continuwuity/continuwuity/security/advisories/GHSA-22fw-4jq7-g8r8
- https://github.com/matrix-construct/tuwunel/commit/dc9314de1f8a6e040c5aa331fe52efbe62e6a2c3
- https://gitlab.com/famedly/conduit/-/releases/v0.10.10
- https://gitlab.computer.surgery/matrix/grapevine/-/commit/9a50c2448abba6e2b7d79c64243bb438b351616c
