Events retrieved from a remote homeserver using `/get_missing_events` did not have their signatures verified correctly. This could potentially allow a remote homeserver to provide invalid/modified events to Dendrite via this endpoint.

Note that this does not apply to events retrieved through other endpoints (e.g. `/event`, `/state`) as they have been correctly verified.

Homeservers that have federation disabled are not vulnerable.

### Patches

The problem has been fixed in Dendrite 0.9.8.

### Workarounds

There are no workarounds.

### Special thanks

Tulir Asokan, who spotted the issue originally.

Affected Packages

Go github.com/matrix-org/dendrite

Affected versions: 0 (fixed in 0.9.8)

Related CVEs

CVE-2022-39200

Key Information

GHSA ID

GHSA-pfw4-xjgm-267c

Published

September 15, 2022 3:28 AM

Last Modified

September 15, 2022 3:28 AM

CVSS Score

7.5 /10

Primary Ecosystem

Primary Package

github.com/matrix-org/dendrite

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 15, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.