Skip to content

handle Matrix federation security issue and room upgrades

There's been some big noises from Matrix.org this week:

https://matrix.org/blog/2025/07/security-predisclosure/

It seems like:

  • on July 22nd, all Matrix servers should upgrade to latest
  • starting from July 22nd, room admins must upgrade their rooms to v12

The impact is unclear, they say:

Only rooms which include users on potentially malicious servers (e.g. publicly joinable rooms on untrusted federations) are vulnerable.

and:

these are not Critical Severity vulnerabilities, there is no requirement for room admins to upgrade rooms immediately on Jul 22nd

It's unclear what the actual vulnerability is, but the above announcement mentions something about "scenarios where Matrix’s state resolution algorithm can give unexpected results".

The fix seems rather radical:

room creators effectively have infinite power level

This is going to be particularly chaotic for us as rooms were created by pretty much whoever.

Assigning to @ahf and @micah since I'm going AFK for three weeks and they're the other two "root" users on Matrix.

The debian.social folks have been notified as well, and I assume they will take the necessary precautions, but I haven't got confirmation. Ping them on #debian-social / OFTC to confirm.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information