CVE-2025-59047
CVE-2025-59047 is a low-severity vulnerability with a CVSS 4.0 base score of 2.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-682.
Key facts
- Severity: Low (CVSS 4.0 base score 2.7)
- EPSS exploit prediction: 0% (29th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-28979
- Weakness: CWE-682
- Published:
- Last modified:
Description
matrix-sdk-base is the base component to build a Matrix client library. In matrix-sdk-base before 0.14.1, calling the `RoomMember::normalized_power_level()` method can cause a panic if a room member has a power level of `Int::Min`. The issue is fixed in matrix-sdk-base 0.14.1. The affected method isn’t used internally, so avoiding calling `RoomMember::normalized_power_level()` prevents the panic.
Frequently asked questions
- What is CVE-2025-59047?
- matrix-sdk-base is the base component to build a Matrix client library. In matrix-sdk-base before 0.14.1, calling the `RoomMember::normalized_power_level()` method can cause a panic if a room member has a power level of `Int::Min`. The issue is fixed in matrix-sdk-base 0.14.1. The affected method isn’t used internally, so avoiding calling `RoomMember::normalized_power_level()` prevents the panic.
- How severe is CVE-2025-59047?
- CVE-2025-59047 has a CVSS 4.0 base score of 2.7, rated low severity.
- Is CVE-2025-59047 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (29th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2025-59047?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-59047 have an EU (EUVD) identifier?
- Yes. CVE-2025-59047 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-28979.
- When was CVE-2025-59047 published?
- CVE-2025-59047 was published on 2025-09-11 and last updated on 2026-06-17.
References
- https://github.com/matrix-org/matrix-rust-sdk/commit/ce3b67f801446387972ff120e907ca828a9f1207
- https://github.com/matrix-org/matrix-rust-sdk/pull/5635
- https://github.com/matrix-org/matrix-rust-sdk/releases/tag/matrix-sdk-base-0.14.1
- https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-qhj8-q5r6-8q6j
Other CWE-682 vulnerabilities
- CVE-2023-2163 — Critical (CVSS 10.0): Incorrect verifier pruning in BPF in Linux Kernel >=5.4 leads to unsafe code paths being incorrectly marked as safe,…
- CVE-2026-1229 — Critical (CVSS 9.8): The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific…
- CVE-2024-36736 — Critical (CVSS 9.8): An issue in the oneflow.permute component of OneFlow-Inc. Oneflow v0.9.1 causes an incorrect calculation when the same…
- CVE-2022-30600 — Critical (CVSS 9.8): A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout…
- CVE-2021-44847 — Critical (CVSS 9.8): A stack-based buffer overflow in handle_request function in DHT.c in toxcore 0.1.9 through 0.1.11 and 0.2.0 through…
- CVE-2020-0221 — Critical (CVSS 9.8): Airbrush FW's scratch memory allocator is susceptible to numeric overflow. When the overflow occurs, the next…