rustsec/advisory-db
1
0
Fork 0
mirror of https://github.com/rustsec/advisory-db.git synced 2025-12-27 01:54:07 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add CVE-2025-53549 for matrix-sdk-sqlite

Browse Source
This commit is contained in:
Damir Jelić
2025-07-11 15:16:34 +02:00
committed by Dirkjan Ochtman
parent 3a1df8e368
commit 4aeb49df4e
1 changed files with 24 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
crates/matrix-sdk-sqlite/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,24 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "matrix-sdk-sqlite"
date = "2025-07-11"
url = "https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-275g-g844-73jh"
aliases = ["CVE-2025-53549", "GHSA-275g-g844-73jh"]
categories = ["format-injection"]
keywords = ["sql-injection"]
[affected.functions]
"matrix_sdk_sqlite::SqliteEventCacheStore::find_event_relations" = [">= 0.11.0"]
[versions]
patched = [">= 0.13.0"]
unaffected = ["< 0.11.0"]
```
# matrix-sdk-sqlite: SQL injection vulnerability in `SqliteEventCacheStore::find_event_with_relations`
The `SqliteEventCacheStore::find_event_with_relations` function constructs SQL
queries using `format!()` with unescaped input, allowing an attacker to inject
arbitrary SQL. This results in a SQL injection vulnerability.