Security Release 2025-08-11: matrix room level 12 needs to be supported #296
Description
Clients need to support room version 12 or the fix can't be applied
Security Release
2025-08-11 — Security — Jim Mackenzie, VP Trust & Safety — The Matrix.org Foundation
Hi all,
Last month we issued a Pre-disclosure: Upcoming coordinated security fix for all Matrix server implementations, describing a coordinated release to fix two high severity protocol vulnerabilities (CVE-2025-49090; the other not yet allocated a CVE). That release is now available as of 17:00 UTC on August 11, 2025. Server updates are now available, and MSCs & spec updates will follow on Thursday, August 14, 2025, bringing us to version 1.16 of the spec later in the month, and introducing room version 12.
🔗What is changing?
Room version 12 includes some changes to the semantics for room creators. Room creators are now privileged over other users in the room as of MSC4289. There is also a new additional_creators field in the m.room.create event for a room.
The default power level in room v12 for sending m.room.tombstone events to upgrade rooms is now 150. This stops normal admins from upgrading the room (and so assuming creator privileges) - instead, a creator has to explicitly boost an admin's power level to 150 in order to let them upgrade the room and effectively assume creator rights going forwards.
Room IDs are now hashes of the m.room.create event via MSC4291. This changes the format of the room ID that you are used to seeing, and your Matrix client will need to be updated to handle this new format.