Matrix Homeserver Vulnerability in Continuwuity Software by Continuwuity
CVE-2025-68667

9.9CRITICAL

Key Information:

Vendor

Continuwuity

Status
Continuwuity
Vendor
CVE Published:
23 December 2025

What is CVE-2025-68667?

The Continuwuity Matrix homeserver has a significant vulnerability that enables an unauthenticated remote attacker to manipulate the server into cryptographically signing arbitrary membership events. This occurs due to a failure in the server's validation process for the origin of signing requests when the state_key corresponds to a valid user ID associated with the target server. The vulnerability has been addressed in version 0.5.0, and a temporary workaround is to restrict access to the endpoint responsible for handling invite requests via a reverse proxy. This highlights the need for robust security protocols to prevent unauthorized access.

Affected Version(s)

continuwuity < 0.5.0

References

https://github.com/continuwuity/continuwuity/security/adv...
x_refsource_CONFIRM
https://forgejo.ellis.link/continuwuation/continuwuity/co...
x_refsource_MISC
https://forgejo.ellis.link/continuwuation/continuwuity/co...
x_refsource_MISC

CVSS V4

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-68667 : Matrix Homeserver Vulnerability in Continuwuity Software by Continuwuity