vulnerability
FreeBSD: VID-4ebaa983-3299-11ed-95f8-901b0e9408dc: dendrite -- Signature checks not applied to some retrieved missing events
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 1 | (AV:N/AC:L/Au:N/C:N/I:N/A:N) | Sep 12, 2022 | Nov 4, 2022 | Dec 10, 2025 |
Severity
1
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:N)
Published
Sep 12, 2022
Added
Nov 4, 2022
Modified
Dec 10, 2025
Description
Dendrite team reports: Events retrieved from a remote homeserver using /get_missing_events did not have their signatures verified correctly. This could potentially allow a remote homeserver to provide invalid/modified events to Dendrite via this endpoint. Note that this does not apply to events retrieved through other endpoints (e.g. /event, /state) as they have been correctly verified. Homeservers that have federation disabled are not vulnerable.
Solution
freebsd-upgrade-package-dendrite
References
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.