CVE-2022-39246: CWE-322: Key Exchange without Entity Authentication in matrix-org matrix-android-sdk2
matrix-android-sdk2 is the Matrix SDK for Android. Prior to version 1.5.1, an attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this may be missing in others. This attack is possible due to the key forwarding strategy implemented in the matrix-android-sdk2 that is too permissive. Starting with version 1.5.1, the default policy for accepting key forwards has been made more strict in the matrix-android-sdk2. The matrix-android-sdk2 will now only accept forwarded keys in response to previously issued requests and only from own, verified devices. The SDK now sets a `trusted` flag on the decrypted message upon decryption, based on whether the key used to decrypt the message was received from a trusted source. Clients need to ensure that messages decrypted with a key with `trusted = false` are decorated appropriately (for example, by showing a warning for such messages). As a workaroubnd, current users of the SDK can disable key forwarding in their forks using `CryptoService#enableKeyGossiping(enable: Boolean)`.
AI Analysis
Technical Summary
CVE-2022-39246 is a vulnerability identified in the matrix-android-sdk2, the Android Software Development Kit for the Matrix decentralized communication protocol. The flaw exists in versions prior to 1.5.1 and stems from an insecure key exchange mechanism lacking proper entity authentication (CWE-322). Specifically, the SDK's key forwarding strategy is overly permissive, allowing a malicious actor, particularly one controlling or cooperating with a malicious Matrix homeserver, to inject messages that appear to originate from another user. This impersonation attack exploits the SDK's acceptance of forwarded encryption keys without verifying the authenticity of the sender device. Although some Matrix clients mark such suspicious messages with a grey shield indicator, this visual warning is inconsistent across platforms, potentially leaving users unaware of the risk. The vulnerability arises because the SDK accepts forwarded keys without ensuring they come from verified devices or in response to legitimate key requests, violating proper authentication protocols (CWE-287). Starting with version 1.5.1, the SDK mitigates this issue by enforcing stricter policies: it only accepts forwarded keys in response to prior requests and exclusively from the user's own verified devices. Additionally, the SDK now sets a 'trusted' flag on decrypted messages based on the trustworthiness of the key source, enabling clients to visually warn users when messages are decrypted with untrusted keys. As a workaround, users of affected SDK versions can disable key forwarding entirely via the CryptoService#enableKeyGossiping(enable: Boolean) method. No known exploits have been reported in the wild, but the vulnerability presents a significant risk to message authenticity and user trust within the Matrix ecosystem on Android devices.
Potential Impact
For European organizations using Matrix-based communication platforms on Android, this vulnerability undermines message integrity and authenticity, enabling attackers to impersonate users by injecting fraudulent messages. This can lead to misinformation, social engineering attacks, or unauthorized command execution in environments relying on Matrix for secure communications. The inconsistency in client-side warnings increases the risk that recipients may unknowingly trust malicious messages. Confidentiality is not directly compromised, but the integrity and non-repudiation of communications are at risk. Organizations in sectors such as government, finance, healthcare, and critical infrastructure that use Matrix for internal or external communications could face reputational damage, operational disruption, or compliance violations if such impersonation attacks occur. The decentralized nature of Matrix and the reliance on homeservers mean that a compromised or malicious homeserver operator can facilitate these attacks, emphasizing the need for strict trust management. Given the widespread adoption of Matrix in privacy-conscious and open-source communities in Europe, the vulnerability could affect a broad range of users and organizations if not mitigated.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Upgrade all instances of matrix-android-sdk2 to version 1.5.1 or later, which enforces stricter key forwarding policies and trusted flagging of decrypted messages. 2) For organizations maintaining custom forks or unable to upgrade immediately, disable key forwarding by invoking CryptoService#enableKeyGossiping(false) to prevent acceptance of forwarded keys altogether. 3) Ensure that client applications built on the SDK properly implement UI indicators or warnings for messages decrypted with untrusted keys, educating users to recognize and report suspicious communications. 4) Audit and restrict homeserver operators to trusted entities only, as malicious homeservers can facilitate the attack. 5) Implement monitoring and alerting for unusual message patterns or key forwarding activities within Matrix deployments. 6) Conduct user awareness training on the potential for message spoofing and the importance of verifying message authenticity, especially in sensitive communication contexts. 7) Collaborate with Matrix client developers to standardize and enforce consistent visual warnings across platforms for messages decrypted with untrusted keys. These steps go beyond generic patching by addressing operational, user interface, and organizational trust aspects critical to mitigating this vulnerability effectively.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark
CVE-2022-39246: CWE-322: Key Exchange without Entity Authentication in matrix-org matrix-android-sdk2
Description
matrix-android-sdk2 is the Matrix SDK for Android. Prior to version 1.5.1, an attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this may be missing in others. This attack is possible due to the key forwarding strategy implemented in the matrix-android-sdk2 that is too permissive. Starting with version 1.5.1, the default policy for accepting key forwards has been made more strict in the matrix-android-sdk2. The matrix-android-sdk2 will now only accept forwarded keys in response to previously issued requests and only from own, verified devices. The SDK now sets a `trusted` flag on the decrypted message upon decryption, based on whether the key used to decrypt the message was received from a trusted source. Clients need to ensure that messages decrypted with a key with `trusted = false` are decorated appropriately (for example, by showing a warning for such messages). As a workaroubnd, current users of the SDK can disable key forwarding in their forks using `CryptoService#enableKeyGossiping(enable: Boolean)`.
AI-Powered Analysis
Technical Analysis
CVE-2022-39246 is a vulnerability identified in the matrix-android-sdk2, the Android Software Development Kit for the Matrix decentralized communication protocol. The flaw exists in versions prior to 1.5.1 and stems from an insecure key exchange mechanism lacking proper entity authentication (CWE-322). Specifically, the SDK's key forwarding strategy is overly permissive, allowing a malicious actor, particularly one controlling or cooperating with a malicious Matrix homeserver, to inject messages that appear to originate from another user. This impersonation attack exploits the SDK's acceptance of forwarded encryption keys without verifying the authenticity of the sender device. Although some Matrix clients mark such suspicious messages with a grey shield indicator, this visual warning is inconsistent across platforms, potentially leaving users unaware of the risk. The vulnerability arises because the SDK accepts forwarded keys without ensuring they come from verified devices or in response to legitimate key requests, violating proper authentication protocols (CWE-287). Starting with version 1.5.1, the SDK mitigates this issue by enforcing stricter policies: it only accepts forwarded keys in response to prior requests and exclusively from the user's own verified devices. Additionally, the SDK now sets a 'trusted' flag on decrypted messages based on the trustworthiness of the key source, enabling clients to visually warn users when messages are decrypted with untrusted keys. As a workaround, users of affected SDK versions can disable key forwarding entirely via the CryptoService#enableKeyGossiping(enable: Boolean) method. No known exploits have been reported in the wild, but the vulnerability presents a significant risk to message authenticity and user trust within the Matrix ecosystem on Android devices.
Potential Impact
For European organizations using Matrix-based communication platforms on Android, this vulnerability undermines message integrity and authenticity, enabling attackers to impersonate users by injecting fraudulent messages. This can lead to misinformation, social engineering attacks, or unauthorized command execution in environments relying on Matrix for secure communications. The inconsistency in client-side warnings increases the risk that recipients may unknowingly trust malicious messages. Confidentiality is not directly compromised, but the integrity and non-repudiation of communications are at risk. Organizations in sectors such as government, finance, healthcare, and critical infrastructure that use Matrix for internal or external communications could face reputational damage, operational disruption, or compliance violations if such impersonation attacks occur. The decentralized nature of Matrix and the reliance on homeservers mean that a compromised or malicious homeserver operator can facilitate these attacks, emphasizing the need for strict trust management. Given the widespread adoption of Matrix in privacy-conscious and open-source communities in Europe, the vulnerability could affect a broad range of users and organizations if not mitigated.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Upgrade all instances of matrix-android-sdk2 to version 1.5.1 or later, which enforces stricter key forwarding policies and trusted flagging of decrypted messages. 2) For organizations maintaining custom forks or unable to upgrade immediately, disable key forwarding by invoking CryptoService#enableKeyGossiping(false) to prevent acceptance of forwarded keys altogether. 3) Ensure that client applications built on the SDK properly implement UI indicators or warnings for messages decrypted with untrusted keys, educating users to recognize and report suspicious communications. 4) Audit and restrict homeserver operators to trusted entities only, as malicious homeservers can facilitate the attack. 5) Implement monitoring and alerting for unusual message patterns or key forwarding activities within Matrix deployments. 6) Conduct user awareness training on the potential for message spoofing and the importance of verifying message authenticity, especially in sensitive communication contexts. 7) Collaborate with Matrix client developers to standardize and enforce consistent visual warnings across platforms for messages decrypted with untrusted keys. These steps go beyond generic patching by addressing operational, user interface, and organizational trust aspects critical to mitigating this vulnerability effectively.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-09-02T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9845c4522896dcbf4481
Added to database: 5/21/2025, 9:09:25 AM
Last enriched: 6/22/2025, 4:53:21 PM
Last updated: 7/26/2025, 1:00:36 PM
Views: 13
Related Threats
CVE-2025-55159: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in tokio-rs slab
MediumCVE-2025-55161: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-25235: CWE-918 Server-Side Request Forgery (SSRF) in Omnissa Secure Email Gateway
HighCVE-2025-55151: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighCVE-2025-55150: CWE-918: Server-Side Request Forgery (SSRF) in Stirling-Tools Stirling-PDF
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.