Description

MAS (Matrix Authentication Service) is a user management and authentication service for Matrix homeservers, written and maintained by Element. A logic flaw in matrix-authentication-service 0.20.0 through 1.4.0 allows an attacker with access to an authenticated MAS session to perform sensitive operations without entering the current password. These include changing the current password, adding or removing an e-mail address and deactivating the account. The vulnerability only affects instances which have the local password database feature enabled (passwords section in the config). Patched in matrix-authentication-service 1.4.1.

INFO

Published Date :

2025-10-16T18:44:02.616Z

Last Modified :

2025-10-16T19:34:11.777Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-62425 vulnerability.

Vendors Products
Element
  • Element
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-62425.

URL Resource
https://github.com/element-hq/matrix-authentication-service/commit/bce99edb6177be11f8f38c1d01f5606ce7b4b2e5 cve-icon cve-icon
https://github.com/element-hq/matrix-authentication-service/security/advisories/GHSA-6wfp-jq3r-j9xh cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact