CVE-2025-23197

MEDIUM

Matrix-hookshot <6.0.1,5.4.1 - DoS

Title source: llm

Description

matrix-hookshot is a Matrix bot for connecting to external services like GitHub, GitLab, JIRA, and more. When Hookshot 6 version 6.0.1 or below, or Hookshot 5 version 5.4.1 or below, is configured with GitHub support, it is vulnerable to a Denial of Service (DoS) whereby it can crash on restart due to a missing check. The impact is greater to you untrusted users can add their own GitHub organizations to Hookshot in order to connect their room to a repository. This vulnerability is fixed in 6.0.2 and 5.4.2.

References (2)

[Vendor Advisory] https://github.com/matrix-org/matrix-hookshot/security/advisories/GHSA-cr4q-jf47-3645

[Patch] https://github.com/matrix-org/matrix-hookshot/commit/e51d8210233ac759e7f7dfebc2c4f1bf6ce94802

View Patch ZIP pw:eip

Scores

CVSS v3 6.5

EPSS 0.0056

EPSS Percentile 68.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-754

Status published

Products (2)

matrix-org/matrix-hookshot < 5.4.2

matrix-org/matrix-hookshot >= 6.0.0, < 6.0.2

Published Jan 27, 2025

Tracked Since Feb 18, 2026