-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| matrix-sdk-crypto | rust | >= 0.8.0, < 0.11.1 | 0.11.1 |
Miggo AIRoot Cause AnalysisThe vulnerability, as described and patched, lies in the failure to validate the sender of an encrypted event against the owner of the cryptographic session used for that event. The commit 13c1d2048286bbabf5e7bc6b015aafee98f04d55 directly addresses this by modifying the OlmMachine::verify_session_for_decryption function in crates/matrix-sdk-crypto/src/machine/mod.rs.
Before the patch, this function would proceed without checking if the sender specified in the event metadata matched the user ID derived from the session_id (via sender_data). A malicious homeserver could thus alter the sender field, and the client, relying on matrix-sdk-crypto, would incorrectly attribute the message.
The patch introduces a crucial check: it retrieves the user ID associated with the session (sender_data.user_id()) and compares it with the sender from the event. If they do not match, it flags the event appropriately (currently as DeviceLinkProblem::MissingDevice).
Therefore, OlmMachine::verify_session_for_decryption is the specific function that, in its pre-patch state, contained the vulnerability by omitting this check. During exploitation (i.e., when processing a spoofed event), this function would be called and would fail to detect the sender mismatch. The higher-level function OlmMachine::decrypt_room_event calls this verification function and would also be part of the stack trace during exploitation, but the logical flaw (the missing check) resides within verify_session_for_decryption.
A Semantic Attack on Google Gemini - Read the Latest Research