The Matrix.org Foundation has released a coordinated security update for all Matrix server implementations, addressing two high-severity protocol vulnerabilities.
The first flaw is tracked as CVE-2025-49090, while the second is pending a CVE assignment. The fixes, deployed at 17:00 UTC on August 11, 2025, are accompanied by the introduction of room version 12, which brings significant protocol-level changes aimed at hardening the federation against exploitation.
Matrix is an open-source, decentralized communication protocol used for secure messaging, VoIP, and real-time collaboration. It supports both private deployments and global federation, with adoption spanning public communities, enterprise deployments, and government use. Its security model relies heavily on trust boundaries between federated servers, making protocol-level flaws particularly sensitive.
The vulnerabilities stem from flaws in Matrix’s state resolution algorithm, allowing potential “state reset” scenarios where malicious actors could manipulate room state inconsistencies to gain elevated permissions or disrupt communities.
Over the past six months, the Element server team and the Matrix.org Foundation’s security group worked under embargo with server implementers to develop fixes. The mitigation required both server-side patches and protocol-level changes, coordinated across all known active implementations.
The security update affects all major server implementations, including Conduit, Continuwuity, ejabberd, Dendrite, Rocket.Chat, Synapse, Synapse Pro, and Tuwunel, with patched versions now available. The urgency of applying the patch depends on the server configuration:
- Single-instance, unfederated homeservers: No urgent action required.
- Restricted federation servers: Update only if untrusted partners are involved.
- Open federation servers: Immediate update recommended.
Room and community administrators hosting spaces that federate with untrusted servers should plan to upgrade to room version 12 once client and server compatibility is assured. The Matrix.org Foundation itself plans to transition its public rooms in September 2025 to allow sufficient lead time for adoption.
Matrix Room version 12
The newly introduced room version 12 implements two major modifications:
- Creator Privileges (MSC4289): Room creators are now permanently privileged above all other participants. A new additional_creators field in the m.room.create event allows multiple designated creators. To prevent privilege escalation, the default power level for sending m.room.tombstone events (which upgrade rooms) is set to 150, above the typical admin threshold, meaning only creators can delegate this ability.
- Room ID Format Update (MSC4291): Room IDs are now cryptographic hashes of their m.room.create events, changing their visual format and requiring updated client support.
Matrix clients and bots must be updated to handle both the new power-level logic and the altered room ID format. Developers who assign explicit power levels to creators in power_level_content_override must remove those assignments to avoid room creation failures.
The Matrix.org Foundation will publish the full technical details and related MSCs on August 14, 2025, when the embargo lifts, marking one of the most significant coordinated protocol updates since Matrix 1.0 in 2019.
Leave a Reply