High-Severity Flaws Found in Matrix Protocol, Posing Risk to Government Communications
The Matrix Foundation, the organization behind the eponymous federated communication protocol, has announced the release of an unscheduled update addressing two high-severity vulnerabilities which, if successfully exploited, could have had critical consequences. According to the developers, in a worst-case scenario, exploitation might have allowed attackers to seize control of private channels — including those used by government entities.
Technical details remain undisclosed. The official advisory merely notes that the flaws were discovered during a joint investigation by specialists from Element and the Matrix.org Foundation. Representatives stated that there is no evidence of exploitation in real-world attacks. Matthew Hodgson, co-founder and CEO of the project, emphasized that the scale and complexity of the issues forced the team to deviate from Matrix’s standard specification change procedures, working instead under embargo to develop the patches.
Unlike closed-source messengers such as WhatsApp or Signal, Matrix is an open standard that administrators can deploy on their own servers. It is actively used by governmental and corporate bodies in Europe — for instance, the French government platform Tchap, the German Bundeswehr, and other agencies for secure communications.
Security, the Foundation stressed, is not optional — it is essential.
The team first warned of potential issues a month ago, sharing technical details and fixes under embargo with all known operators of independent protocol instances. Initially, the update window was planned for six days, but disclosure was extended to a month to give organizations time to test the changes.
The first vulnerability, tracked as CVE-2025-49090 (CVSS score not yet assigned), affects the room management mechanism. It could, for example, allow a malicious administrator within a governmental infrastructure to alter or revoke permissions set by a channel creator. In theory, this could disrupt data exchange during a crisis, wrest control of a private chat, or redirect participants to a spoofed room running a modified protocol. However, Matrix later clarified that this scenario does not accurately reflect the nature of the flaw, and full technical details will only be revealed once the embargo is lifted.
The second flaw, CVE-2025-54315, relates to room ID generation. Normally, IDs are created as unique pseudorandom values, but under certain conditions, an attacker could predict future IDs. In theory, this could enable them to create a room in advance or join a confidential channel without an invitation, impose their own rules, and intercept data. However, Matrix stressed that the bug does not actually permit pre-creation of rooms, unauthorized joining of secure chats, or data exfiltration — otherwise, it would have been rated “Critical” instead of “High.”
The Foundation cautioned that room updates may cause service disruptions and recommended that administrators test patch deployment before rolling it out, providing special guidance for doing so. Full disclosure of both vulnerabilities is scheduled for August 14.
