Here’s what Element customers need to know
The Matrix.org Foundation has published a pre‑disclosure and has just released details on a high‑priority security release. The fix has been issued at 17:00 UTC on Monday 11th August 2025 and is accompanied by an off‑cycle spec update (Matrix 1.16) that introduces Room Version 12 to close two newly‑identified federation vulnerabilities, one already filed as CVE‑2025‑49090.
Users of Element Server Suite Pro
Element’s customers using Element Server Suite Pro (ESS Pro) are already covered by our Advance Security Advisory programme. The nominated technical contact will already have the advisory. A new ESS Pro release (25.08.01) is expected to appear on the download portal on the 12th of August. If you’re on an ESS Pro LTS track, the update will be delivered through the usual long‑term‑support channel. To apply the fixes to at-risk rooms, rooms need to be upgraded to the new room version 12. Automation scripts for bulk room upgrades will be made available, including instructions on how to use them. It is recommended that you let your user base know that the upgrade messages they see are part of a planned security release, not an unexpected glitch.
The upgrade is straightforward, but contact Element Support via your normal channels for Level 3 Support.
Although air-gapped environments are less exposed to the vulnerability, we recommend such deployments upgrade anyway to stay aligned.
Users of Element Server Suite Community
ESS Community is unsupported, but does receive full stack security updates as the embargo lifts. The new release is expected to become available on the 12th of August. The update is seamless and expected to be quick. At-risk rooms will have to be upgraded to room version 12 by their room administrators/moderators.
When do I need to act and which rooms are at risk?
All homeserver administrators should upgrade to the new releases as soon as possible.
Whether or not you need to apply the security updates to your rooms in addition depends on your homeserver configuration and usage scenario. Rooms are only at-risk if they have room members from untrusted homeservers. If you trust the homeservers participating in a room you don’t need to upgrade the room.
- Single instance, unfederated homeserver:
You are running a single instance of a Matrix homeserver, and federation is disabled. There is nothing you need to do and we do not recommend upgrading rooms in this case. - Homeservers operating in a restricted federation:
Your server(s) are running as part of a restricted federation - i.e. you have mechanisms in place (homeserver configuration, Secure Border Gateways, or network restrictions) that limit which other homeservers your homeservers can talk to.- If you fully trust all of the homeservers in this restricted federation then there is nothing you need to do.
- If you do not fully trust all of the homeservers in this restricted federation (e.g. if they are run by partners outside of your direct span of control), you should upgrade at-risk rooms at your convenience, but risk here is very low.
- Homeservers participating in open, unrestricted federation:
If your server is participating in open federation, you should upgrade at-risk rooms when feasible.
Element frontend clients (aka apps)
Customers should be using the following Element client versions, or later versions:
Element Web v1.11.109
Element Desktop v1.11.109
Element X Pro Android 25.08.1
Element X Android 25.08.1
Element X Pro iOS 25.08.3
Element X iOS 25.08.3
Element Classic Android 1.6.44
Element Classic iOS 1.11.31
In addition to the Advance Security Advisory outreach, all ESS Pro and ESS Pro LTS subscribers will be contacted by Element Support to guide them through the process.
If you have any questions about this release or how ESS Pro will seamlessly help navigate this high‑priority security release, please do get in touch.
