Secure chat darling Matrix admits pair of 'high severity' protocol flaws need painful fixes
(2025/08/13)
- Reference: 1755076515
- News link: https://www.theregister.co.uk/2025/08/13/secure_chat_darling_matrix_admits/
- Source link:
The maintainers of the federated secure chat protocol Matrix are warning users of a pair of "high severity protocol vulnerabilities," addressed in the latest version, saying patching them requires a breaking change in servers and clients.
"Last month we issued 'pre-disclosure: upcoming coordinated security fix for all Matrix server implementations,' describing a coordinated release to fix two high severity protocol vulnerabilities," Jim Mackenzie, veep for trust and safety at the Matrix.org Foundation, said.
"That release is now available as of 1700 UTC on August 11, 2025. Server updates are now available, and MSCs & spec updates will follow on Thursday, August 14, 2025, bringing us to version 1.16 of the spec later in the month, and introducing room version 12."
[1]
Matrix, which boasted a conservatively estimated 60 million users, plus around 500,000 government users, [2]back in 2022 , isn't a chat platform; it's an open standard for a real-time communication protocol built atop HTTP and WebRTC, designed to make it easy for client apps from any vendor to interoperate using a decentralized federation system.
[3]
[4]
Founded by Matthew Hodgson and Amandine Le Pape, who now serve as chief exec and chief operating officer of Matrix commercialisation firm Element, it promises secure real-time communication without the usual vendor tie-in.
Hodgson has been vocal in his criticism of rival chat platforms, which he has said often provide little more than lip-service to security: he singled out Telegram following its chief's [5]arrest in France last year , and back in June [6]disclaimed Elon Musk's XChat , launched in an attempt to win users back to the platform formerly known as Twitter, as "just another centralized platform where users have zero control over their data."
[7]
Vulnerabilities, then, are a source of embarrassment for a platform which bills itself as more secure than the competition - though there are, at least, mitigations involved. According to the Matrix.org Foundation, the non-profit which hosts the project's "homeserver," says those running a single Matrix instance with no federation to other servers are at little risk, and "there is nothing you need to do urgently."
[8]Proton bashes Apple and joins antitrust suit that seeks to throw the App Store wide open
[9]Signal chat app clone used by Signalgate's Waltz was apparently an insecure mess
[10]The White House could end UK's decade-long fight to bust encryption
[11]Security pros are drowning in threat-intel data and it's making everything more dangerous
Those running with "restricted federation" to only trusted servers can likewise be relatively lax in addressing the vulnerabilities - although the Foundation notes that "if you do not fully trust all of the homeservers in this restricted federation" then "you should update your server as soon as possible."
The biggest impact is to servers participating in "open, unrestricted federation," in which any server is able to connect – and thus make use of the vulnerabilities. In a "pre-disclosure" [12]from July , however, Hodgson claimed that the two "high security" protocol vulnerabilities "are not Critical Severity vulnerabilities, [so] there is no requirement for room admins to upgrade rooms immediately."
Those who do want to ensure they are protected against attack, the exact nature of which has not yet been publicly disclosed, will need to upgrade their Matrix server to a version which supports "Room Version 12" – newly added in the Matrix specification version 1.16 – and then manually upgrade each room to said new version; users, meanwhile, will also need to upgrade their clients in order to connect to servers set to Room Version 12.
Matrix has confirmed that protocol implementers Conduit, Continuwuity, ejabberd, Dendrite, Rocket.chat, Synapse, Synapse Pro, and Tuwunel will be "releasing fixes shortly," and that the matrix.org homeserver will move to Room Version 12 some time in September.
[13]
"There needs to be enough time to allow clients and servers participating in your room to support v12 before upgrading your room," Mackenzie advised.
The full announcement is available on the [14]Matrix website . One vulnerability has been assigned as [15]CVE-2025-49090 , with no details yet available, while the other has yet to be assigned a CVE ID.
The Register asked Element if the vulnerabilities are under active exploitation. ®
Get our [16]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aJxiNtEybkErEIMKXX47AQAAAQs&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://www.theregister.com/2022/07/15/matrix_grows/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJxiNtEybkErEIMKXX47AQAAAQs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aJxiNtEybkErEIMKXX47AQAAAQs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2024/09/25/element_bosses_on_funding_open/
[6] https://www.theregister.com/2025/06/03/xs_new_encrypted_xchat_feature/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJxiNtEybkErEIMKXX47AQAAAQs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/07/01/proton_lawsuit_apple/
[9] https://www.theregister.com/2025/05/05/telemessage_investigating/
[10] https://www.theregister.com/2025/08/12/could_the_white_house_put/
[11] https://www.theregister.com/2025/07/28/security_pros_drowning_in_threatintel/
[12] https://matrix.org/blog/2025/07/security-predisclosure/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aJxiNtEybkErEIMKXX47AQAAAQs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://matrix.org/blog/2025/08/security-release/)
[15] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49090
[16] https://whitepapers.theregister.com/
"Last month we issued 'pre-disclosure: upcoming coordinated security fix for all Matrix server implementations,' describing a coordinated release to fix two high severity protocol vulnerabilities," Jim Mackenzie, veep for trust and safety at the Matrix.org Foundation, said.
"That release is now available as of 1700 UTC on August 11, 2025. Server updates are now available, and MSCs & spec updates will follow on Thursday, August 14, 2025, bringing us to version 1.16 of the spec later in the month, and introducing room version 12."
[1]
Matrix, which boasted a conservatively estimated 60 million users, plus around 500,000 government users, [2]back in 2022 , isn't a chat platform; it's an open standard for a real-time communication protocol built atop HTTP and WebRTC, designed to make it easy for client apps from any vendor to interoperate using a decentralized federation system.
[3]
[4]
Founded by Matthew Hodgson and Amandine Le Pape, who now serve as chief exec and chief operating officer of Matrix commercialisation firm Element, it promises secure real-time communication without the usual vendor tie-in.
Hodgson has been vocal in his criticism of rival chat platforms, which he has said often provide little more than lip-service to security: he singled out Telegram following its chief's [5]arrest in France last year , and back in June [6]disclaimed Elon Musk's XChat , launched in an attempt to win users back to the platform formerly known as Twitter, as "just another centralized platform where users have zero control over their data."
[7]
Vulnerabilities, then, are a source of embarrassment for a platform which bills itself as more secure than the competition - though there are, at least, mitigations involved. According to the Matrix.org Foundation, the non-profit which hosts the project's "homeserver," says those running a single Matrix instance with no federation to other servers are at little risk, and "there is nothing you need to do urgently."
[8]Proton bashes Apple and joins antitrust suit that seeks to throw the App Store wide open
[9]Signal chat app clone used by Signalgate's Waltz was apparently an insecure mess
[10]The White House could end UK's decade-long fight to bust encryption
[11]Security pros are drowning in threat-intel data and it's making everything more dangerous
Those running with "restricted federation" to only trusted servers can likewise be relatively lax in addressing the vulnerabilities - although the Foundation notes that "if you do not fully trust all of the homeservers in this restricted federation" then "you should update your server as soon as possible."
The biggest impact is to servers participating in "open, unrestricted federation," in which any server is able to connect – and thus make use of the vulnerabilities. In a "pre-disclosure" [12]from July , however, Hodgson claimed that the two "high security" protocol vulnerabilities "are not Critical Severity vulnerabilities, [so] there is no requirement for room admins to upgrade rooms immediately."
Those who do want to ensure they are protected against attack, the exact nature of which has not yet been publicly disclosed, will need to upgrade their Matrix server to a version which supports "Room Version 12" – newly added in the Matrix specification version 1.16 – and then manually upgrade each room to said new version; users, meanwhile, will also need to upgrade their clients in order to connect to servers set to Room Version 12.
Matrix has confirmed that protocol implementers Conduit, Continuwuity, ejabberd, Dendrite, Rocket.chat, Synapse, Synapse Pro, and Tuwunel will be "releasing fixes shortly," and that the matrix.org homeserver will move to Room Version 12 some time in September.
[13]
"There needs to be enough time to allow clients and servers participating in your room to support v12 before upgrading your room," Mackenzie advised.
The full announcement is available on the [14]Matrix website . One vulnerability has been assigned as [15]CVE-2025-49090 , with no details yet available, while the other has yet to be assigned a CVE ID.
The Register asked Element if the vulnerabilities are under active exploitation. ®
Get our [16]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aJxiNtEybkErEIMKXX47AQAAAQs&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://www.theregister.com/2022/07/15/matrix_grows/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJxiNtEybkErEIMKXX47AQAAAQs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aJxiNtEybkErEIMKXX47AQAAAQs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2024/09/25/element_bosses_on_funding_open/
[6] https://www.theregister.com/2025/06/03/xs_new_encrypted_xchat_feature/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aJxiNtEybkErEIMKXX47AQAAAQs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/07/01/proton_lawsuit_apple/
[9] https://www.theregister.com/2025/05/05/telemessage_investigating/
[10] https://www.theregister.com/2025/08/12/could_the_white_house_put/
[11] https://www.theregister.com/2025/07/28/security_pros_drowning_in_threatintel/
[12] https://matrix.org/blog/2025/07/security-predisclosure/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aJxiNtEybkErEIMKXX47AQAAAQs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://matrix.org/blog/2025/08/security-release/)
[15] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49090
[16] https://whitepapers.theregister.com/