CVE-2025-68667 – continuwuity Has an Unintended Proxy or Intermediary and Improper Input Validation

CVE ID : CVE-2025-68667

Published : Dec. 23, 2025, 11:15 p.m. | 5 hours, 5 minutes ago

Description : continuwuity is a Matrix homeserver written in Rust. Prior to version 0.5.0, this vulnerability allows a remote, unauthenticated attacker to force the target server to cryptographically sign arbitrary membership events. The flaw exists because the server fails to validate the origin of a signing request, provided the event’s state_key is a valid user ID belonging to the target server. This issue has been patched in version 0.5.0. A workaround for this issue involves blocking access to the PUT /_matrix/federation/v2/invite/{roomId}/{eventId} endpoint using the reverse proxy.

Severity: 9.9 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…