Matrix Specification State Resolution Deficiency Vulnerability

A vulnerability exists in the Matrix specification prior to version 1.16, specifically in rooms with a version earlier than 12 and State Resolution prior to 2.1. This vulnerability arises from inadequate state resolution, which can lead to 'state resets' where room state is reverted to a previous version, disrupting access control and room membership. Such resets have been observed in various public rooms on the Matrix network.

Impact

Exploitation of this vulnerability could corrupt a chatroom's state by unintentionally resetting it to a prior value, such as reverting access control or room membership to an earlier configuration. This does not expose conversation history or any additional data.

Remediation

Matrix server administrators should upgrade to the latest version that supports room version 12. This version addresses the state resolution deficiencies and related vulnerabilities. Instructions for upgrading are available in the Matrix.org blog post titled 'Security Release'.