{"id":"GO-2022-0952","summary":"Incorrect event parsing in github.com/matrix-org/gomatrixserverlib","details":"Power level parsing does not parse the \"events_default\" key of the m.room.power_levels event, setting the event default power level to zero in all cases. This can cause events to be improperly accepted or rejected in rooms where the event_default power level has been changed.","aliases":["CVE-2022-36009","GHSA-grvv-h2f9-7v9c"],"modified":"2026-03-17T04:29:02.785004Z","published":"2022-08-22T18:08:50Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0952","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://github.com/matrix-org/gomatrixserverlib/commit/723fd495dde835d078b9f2074b6b62c06dea4575"}],"affected":[{"package":{"name":"github.com/matrix-org/gomatrixserverlib","ecosystem":"Go","purl":"pkg:golang/github.com/matrix-org/gomatrixserverlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20220815091947-723fd495dde8"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/matrix-org/gomatrixserverlib","symbols":["Allowed","Event.PowerLevels","EventsLoader.LoadAndVerify","HeaderedReverseTopologicalOrdering","NewPowerLevelContentFromAuthEvents","NewPowerLevelContentFromEvent","RequestBackfill","ResolveConflicts","ResolveStateConflicts","ResolveStateConflictsV2","RespSendJoin.Check","RespState.Check","RespState.Events","ReverseTopologicalOrdering","VerifyAuthRulesAtState","VerifyEventAuthChain"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-0952.json"}}],"schema_version":"1.7.5"}