CVE-2025-68667
published 2025-12-23CVE-2025-68667: Conduit is a chat server powered by Matrix. A vulnerability that affects a number of Conduit-derived homeservers allows a remote, unauthenticated attacker to…
PriorityP265critical9.9CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSILSALEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.53%
40.6th percentile
Conduit is a chat server powered by Matrix. A vulnerability that affects a number of Conduit-derived homeservers allows a remote, unauthenticated attacker to force the target server to cryptographically sign arbitrary membership events. Affected products include Conduit prior to version 0.10.10, continuwuity prior to version 0.5.0, Grapevine prior to commit `9a50c244`, and tuwunel prior to version 1.4.8. The flaw exists because the server fails to validate the origin of a signing request, provided the event's state_key is a valid user ID belonging to the target server. Attackers can forge "leave" events for any user on the target server. This forcibly removes users (including admins and bots) from rooms. This allows denial of service and/or the removal of technical protections for a room (including policy servers, if all users on the policy server are removed). Attackers can forge "invite" events from a victim user to themselves, provided they have an account on a server where there is an account that has the power level to send invites. This allows the attacker to join private or invite-only rooms accessible by the victim, exposing confidential conversation history and room state. Attackers can forge "ban" events from a victim user to any user below the victim user's power level, provided the victim has the power level to issue bans AND the target of the ban resides on the same server as the victim. This allows the attacker to ban anyone in a room who is on the same server as the vulnerable one, however cannot exploit this to ban users on other servers or the victim themself. Conduit fixes the issue in version 0.10.10. continuwuity fixes the issue in commits `7fa4fa98` and `b2bead67`, released in 0.5.0. tuwunel fixes the issue in commit `dc9314de1f8a6e040c5aa331fe52efbe62e6a2c3`, released in 1.4.8. Grapevine fixes the issue in commit `9a50c2448abba6e2b7d79c64243bb438b351616c`. As a workaround, block access to the `PUT /_matrix/federation/v2/invite/{roomId}/{eventId
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| continuwuity | continuwuity | < 0.5.0 | 0.5.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unexpected or unauthenticated PUT requests to the Matrix federation invite endpoint `/_matrix/federation/v2/invite/{roomId}/{eventId}` — this is the attack surface exploited by CVE-2025-68667. ↗
- →Alert on mass or unexpected 'leave' membership events originating from federation for local users, especially admins and bots, which may indicate forced removal exploitation. ↗
- →Alert on unexpected 'invite' events sent by local victim users to unknown remote accounts, which may indicate an attacker forging invites to gain access to private rooms. ↗
- →Alert on unexpected 'ban' events issued by local users against other local users, which may indicate forged ban events being injected via federation. ↗
- →The root cause is failure to validate the origin of a signing request when the event's state_key is a valid local user ID — look for signing requests where the requesting origin does not match the server owning the state_key. ↗
- ·Affected versions: Conduit < 0.10.10, continuwuity < 0.5.0, tuwunel < 1.4.8, and Grapevine prior to commit 9a50c244. Patch or block the federation invite endpoint immediately. ↗
- ·The workaround (blocking the federation invite endpoint at the reverse proxy) will prevent exploitation but will also disable legitimate Matrix federation invite functionality for the server. ↗
- ·The Fedora 'catalyst' package references a different, unrelated 'conduit' (an HPC data exchange library by LLNL) and is NOT affected by this CVE. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-68667 catalyst: continuwuity Has an Unintended Proxy or Intermediary and Improper Input Validation [fedora-42]
bugzilla·2025-12-24·CVSS 9.9
CVE-2025-68667 [CRITICAL] CVE-2025-68667 catalyst: continuwuity Has an Unintended Proxy or Intermediary and Improper Input Validation [fedora-42]
CVE-2025-68667 catalyst: continuwuity Has an Unintended Proxy or Intermediary and Improper Input Validation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is F
Bugzilla
CVE-2025-68667 catalyst: continuwuity Has an Unintended Proxy or Intermediary and Improper Input Validation [fedora-43]
bugzilla·2025-12-24·CVSS 9.9
CVE-2025-68667 [CRITICAL] CVE-2025-68667 catalyst: continuwuity Has an Unintended Proxy or Intermediary and Improper Input Validation [fedora-43]
CVE-2025-68667 catalyst: continuwuity Has an Unintended Proxy or Intermediary and Improper Input Validation [fedora-43]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
AFAICT the conduit referenced by CVE-2025-68667 [1] is a Matrix chat server, completely separate from the conduit [2,3] used by the Fedora catalyst package. The condui
https://forgejo.ellis.link/continuwuation/continuwuity/commit/7fa4fa98628593c1a963f5aa8dbc3657d604b047https://forgejo.ellis.link/continuwuation/continuwuity/commit/b2bead67ac8bc45de9a612578f295e5b7fc6c2b5https://github.com/continuwuity/continuwuity/security/advisories/GHSA-22fw-4jq7-g8r8https://github.com/matrix-construct/tuwunel/commit/dc9314de1f8a6e040c5aa331fe52efbe62e6a2c3https://gitlab.com/famedly/conduit/-/releases/v0.10.10https://gitlab.computer.surgery/matrix/grapevine/-/commit/9a50c2448abba6e2b7d79c64243bb438b351616c
2025-12-23
Published