CVE-2025-68667: continuwuity Has an Unintended Proxy or Intermediary and Improper Input Validation

← Back to Vulnerability Index

CVE-2025-68667 - continuwuity Has an Unintended Proxy or Intermediary and Improper Input Validation

Dec. 23, 2025, 11:15 p.m. | 1 hour, 43 minutes ago CRITICAL CVSS Score: 9.9/10.0

⚠️ Security Alert: A critical vulnerability has been identified that requires immediate attention.

Vulnerability Overview

CVE Identifier:

CVE-2025-68667

Severity Rating:

9.9 / 10.0 - CRITICAL

Detection Date:

24 Dec 2025

Vulnerability Type:

Vulnerability

Description

continuwuity is a Matrix homeserver written in Rust. Prior to version 0.5.0, this vulnerability allows a remote, unauthenticated attacker to force the target server to cryptographically sign arbitrary membership events. The flaw exists because the server fails to validate the origin of a signing request, provided the event's state_key is a valid user ID belonging to the target server. This issue has been patched in version 0.5.0. A workaround for this issue involves blocking access to the PUT /_matrix/federation/v2/invite/{roomId}/{eventId} endpoint using the reverse proxy.

Potential Impact

This vulnerability poses a critical risk to affected systems. Organizations using the affected software should prioritize patching and implement appropriate security measures immediately.

• Unauthorized Access: Potential unauthorized access to sensitive systems or data
• Remote Code Execution: Attackers may execute arbitrary code remotely
• Service Disruption: Risk of service disruption or denial of service attacks
• Data Breach: Possibility of data breach or information disclosure

Recommended Actions

1. Immediate Assessment: Identify if your systems are running affected versions of the software
2. Apply Patches: Install security updates and patches as soon as they become available
3. Implement Workarounds: Apply temporary mitigations if patches are not yet available
4. Monitor Systems: Increase monitoring for signs of exploitation attempts
5. Update Security Policies: Review and update security policies based on this vulnerability
6. Inform Stakeholders: Communicate the risk to relevant stakeholders and teams

Stay Informed: Subscribe to our security alerts to receive timely updates on critical vulnerabilities and security advisories.

Disclaimer: This information is provided for security awareness purposes. Always verify with official sources and consult with security professionals before taking action. The severity scores and information are based on publicly available data at the time of publication.