CVE-2025-24024

CVE-2025-24024 is a high-severity vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) affecting Mjolnir version 1.9.0, an open-source moderation bot for Matrix servers. The flaw stems from the bot responding to management commands issued from any room it is a member of, rather than restricting them to authorized operator rooms. This misconfiguration enables unauthorized access to the bot's full range of functions, including potentially sensitive server administration capabilities if those components are enabled (CWE-671: Unauthorized Control Sphere Application Violation).

Any user present in a room where the Mjolnir bot v1.9.0 is joined can exploit this vulnerability remotely over the network with low complexity and no required privileges or user interaction. Attackers can issue arbitrary management commands to manipulate the bot's behavior, such as banning users, modifying room configurations, or executing server-level administrative actions if configured, leading to significant integrity and availability impacts.

Mitigation involves upgrading to Mjolnir version 1.9.1, which reverts the problematic feature, or version 1.9.2, which reintroduces it with proper safeguards. If upgrading to 1.9.1 or later is not feasible, administrators should downgrade to version 1.8.3. Details are available in the GitHub security advisory (GHSA-3jq6-xc85-m394) and related commits (b437fa16 and d0ef527a).