Upcoming coordinated security fix for all Matrix server implementations
10 months ago
- #Matrix
- #Vulnerability
- #Security
- Major project by Element server team and Matrix.org Foundation security team to investigate 'state resets' over the last 6 months.
- Two high severity protocol vulnerabilities identified (CVE-2025-49090 and another not yet allocated a CVE).
- Coordinated security release across all Matrix server implementations planned for Tuesday Jul 22nd 2025 at 17:00 UTC.
- Vulnerabilities addressed via MSCs, leading to an off-cycle Matrix spec release (1.16) and new room version (12).
- Room admins should plan to upgrade rooms at their convenience, similar to previous security-related room version upgrades.
- Client developers need to review MSC4291 for new room ID format and updates regarding room creators' privileges.
- Matrix.org Foundation seeks donations to support its mission, including maintaining the Matrix Specification and digital privacy rights.