RUSTSEC-2025-0043

matrix-sdk-sqlite: SQL injection vulnerability in SqliteEventCacheStore::find_event_with_relations

Reported

July 11, 2025

Issued

July 11, 2025

Package

matrix-sdk-sqlite (crates.io)

Type

Vulnerability

Categories

format-injection

Keywords

#sql-injection

Aliases

CVE-2025-53549
GHSA-275g-g844-73jh

References

https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-275g-g844-73jh

Patched

>=0.13.0

Unaffected

<0.11.0

Affected Functions

Version

matrix_sdk_sqlite::SqliteEventCacheStore::find_event_relations

>=0.11.0

Description

The SqliteEventCacheStore::find_event_with_relations function constructs SQL queries using format!() with unescaped input, allowing an attacker to inject arbitrary SQL. This results in a SQL injection vulnerability.

Advisory available under CC0-1.0 license.