CVE-2025-59160

Impact

matrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in MatrixClient::getJoinedRooms, allowing a remote attacker to attempt to replace a tombstoned room with an unrelated attacker-supplied room.

Patches

The issue has been patched and users should upgrade to 38.2.0.

Workarounds

Avoid using MatrixClient::getJoinedRooms in favour of getRooms() and filtering upgraded rooms separately.

Published: Sep 16, 2025
Updated: Sep 23, 2025
CVE: CVE-2025-59160
GHSA: GHSA-mp7c-m3rh-r56v
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-20
CWE-345
CWE-862

Affected Software
References

Software	From	Fixed in
matrix-js-sdk	-	38.2.0

https://github.com/matrix-org/matrix-js-sdk/commit/43c72d5bf5e2d0a26b3b4f71092e7cb39d4137c4
https://github.com/matrix-org/matrix-js-sdk/releases/tag/v38.2.0
https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mp7c-m3rh-r56v
https://www.npmjs.com/package/matrix-js-sdk/v/38.2.0

Vulnerability Database

CVE-2025-59160

Impact

Patches

Workarounds

Deep Security Visibility Without the Complexity