CVE-2025-59161

Source
https://cve.org/CVERecord?id=CVE-2025-59161
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59161.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-59161
Aliases
  • GHSA-m6c8-98f4-75rr
Downstream
Related
Published
2025-09-16T16:44:15.660Z
Modified
2026-04-10T05:31:49.387926Z
Severity
  • 2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
In Element Web and Element Desktop, a malicious room can hide an unrelated room and cause it to be left when the malicious room is left
Details

Element Web is a Matrix web client built using the Matrix React SDK. Element Web and Element Desktop before version 1.11.112 have insufficient validation of room predecessor links, allowing a remote attacker to attempt to impermanently replace a room's entry in the room list with an unrelated attacker-supplied room. While the effect of this is temporary, it may still confuse users into acting on incorrect assumptions. The issue has been patched and users should upgrade to 1.11.112. A reload/refresh will fix the incorrect room list state, removing the attacker's room and restoring the original room.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59161.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-20"
    ]
}
References

Affected packages

Git / github.com/element-hq/element-web

Affected ranges

Type
GIT
Repo
https://github.com/element-hq/element-web
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

Other
no-media-devices-release
v0.*
v0.1.2
v0.10.0
v0.10.0-rc.2
v0.12.0-rc.1
v0.12.1
v0.12.1-rc.1
v0.12.2
v0.14.3-rc.1
v0.15.0
v0.15.0-rc.1
v0.15.0-rc.2
v0.15.0-rc.3
v0.15.0-rc.4
v0.15.0-rc.5
v0.15.0-rc.6
v0.15.1
v0.15.4
v0.15.4-rc.1
v0.15.5
v0.15.5-rc.1
v0.16.0
v0.16.0-rc.1
v0.16.0-rc.2
v0.16.3
v0.16.3-rc.1
v0.16.3-rc.2
v0.17.8
v0.17.8-rc.1
v0.3.0
v0.4.0
v0.4.1
v0.5.0
v0.6.0
v0.6.1
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.7.4-r1
v0.7.5
v0.7.5-r1
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.9.2
v0.9.3
v1.*
v1.11.111
v1.11.111-rc.0
v1.11.35-no-media-devices-hotfix
v1.11.68
v1.11.68-rc.0
v1.4.0
v1.4.0-rc.1
v1.4.0-rc.2
v1.4.1
v1.4.2
v1.4.2-rc.1
v1.5.10
v1.5.3
v1.7.0
v1.7.1
v1.7.11
v1.7.11-rc.1
v1.7.13
v1.7.13-rc.1
v1.7.14
v1.7.14-rc.1
v1.7.16
v1.7.16-rc.1
v1.7.2
v1.7.23
v1.7.23-rc.1
v1.7.30
v1.7.30-rc.1
v1.7.9
v1.7.9-rc.1
v1.9.5
v1.9.5-rc.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59161.json"