Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/matrix-js-sdk@31.4.0-rc.0
Typenpm
Namespace
Namematrix-js-sdk
Version31.4.0-rc.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version38.2.0
Latest_non_vulnerable_version38.2.0
Affected_by_vulnerabilities
0
url VCID-6szy-r2cd-9kfw
vulnerability_id VCID-6szy-r2cd-9kfw
summary 
matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal
### Summary

matrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver.

### Details

The Matrix specification demands homeservers to [perform validation](https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5) of the `server-name` and `media-id` components of MXC URIs with the intent to prevent path traversal. However, it is not mentioned that a similar check must also be performed on the client to prevent *client-side* path traversal. matrix-js-sdk fails to perform this validation.

### Patches

Fixed in matrix-js-sdk 34.11.1.

### Workarounds

None.

### References

- https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5
- https://blog.doyensec.com/2024/07/02/cspt2csrf.html
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-50336
reference_id
reference_type
scores
0
value 0.00647
scoring_system epss
scoring_elements 0.70702
published_at 2026-04-02T12:55:00Z
1
value 0.00877
scoring_system epss
scoring_elements 0.75353
published_at 2026-04-18T12:55:00Z
2
value 0.00877
scoring_system epss
scoring_elements 0.75346
published_at 2026-04-16T12:55:00Z
3
value 0.00877
scoring_system epss
scoring_elements 0.75307
published_at 2026-04-13T12:55:00Z
4
value 0.00877
scoring_system epss
scoring_elements 0.7534
published_at 2026-04-11T12:55:00Z
5
value 0.00877
scoring_system epss
scoring_elements 0.75318
published_at 2026-04-12T12:55:00Z
6
value 0.00877
scoring_system epss
scoring_elements 0.75308
published_at 2026-04-08T12:55:00Z
7
value 0.00877
scoring_system epss
scoring_elements 0.75265
published_at 2026-04-07T12:55:00Z
8
value 0.00877
scoring_system epss
scoring_elements 0.75288
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-50336
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50336
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50336
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/matrix-org/matrix-js-sdk
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/matrix-org/matrix-js-sdk
4
reference_url https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-xvg8-m4x3-w6xr
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-12T17:11:23Z/
url https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-xvg8-m4x3-w6xr
5
reference_url https://lists.debian.org/debian-lts-announce/2025/01/msg00004.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/01/msg00004.html
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-50336
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-50336
7
reference_url https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-12T17:11:23Z/
url https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5
8
reference_url https://github.com/advisories/GHSA-xvg8-m4x3-w6xr
reference_id GHSA-xvg8-m4x3-w6xr
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xvg8-m4x3-w6xr
9
reference_url https://security.gentoo.org/glsa/202505-03
reference_id GLSA-202505-03
reference_type
scores
url https://security.gentoo.org/glsa/202505-03
10
reference_url https://www.mozilla.org/en-US/security/advisories/mfsa2024-69
reference_id mfsa2024-69
reference_type
scores
0
value none
scoring_system generic_textual
scoring_elements
url https://www.mozilla.org/en-US/security/advisories/mfsa2024-69
11
reference_url https://www.mozilla.org/en-US/security/advisories/mfsa2025-04
reference_id mfsa2025-04
reference_type
scores
0
value high
scoring_system generic_textual
scoring_elements
url https://www.mozilla.org/en-US/security/advisories/mfsa2025-04
12
reference_url https://usn.ubuntu.com/7991-1/
reference_id USN-7991-1
reference_type
scores
url https://usn.ubuntu.com/7991-1/
fixed_packages
0
url pkg:npm/matrix-js-sdk@34.11.1
purl pkg:npm/matrix-js-sdk@34.11.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-tj5a-r7hy-zfer
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@34.11.1
aliases CVE-2024-50336, GHSA-xvg8-m4x3-w6xr
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6szy-r2cd-9kfw
1
url VCID-9uwh-r958-gyg3
vulnerability_id VCID-9uwh-r958-gyg3
summary 
matrix-js-sdk will freeze when a user sets a room with itself as a its predecessor
### Impact
A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's `getRoomUpgradeHistory` function will infinitely recurse in this case, causing the code to hang. This method is public but also called by the 'leaveRoomChain()' method, so leaving a room will also trigger the bug.

Even if the CVSS score would be 4.1 ([AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L&version=3.1)) we classify this as High severity issue.

### Patches
This was patched in matrix-js-sdk 34.3.1.

### Workarounds
Sanity check rooms before passing them to the matrix-js-sdk or avoid calling either `getRoomUpgradeHistory` or `leaveRoomChain`.

### References
N/A.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-42369
reference_id
reference_type
scores
0
value 0.00205
scoring_system epss
scoring_elements 0.42638
published_at 2026-04-02T12:55:00Z
1
value 0.00205
scoring_system epss
scoring_elements 0.42685
published_at 2026-04-18T12:55:00Z
2
value 0.00205
scoring_system epss
scoring_elements 0.42699
published_at 2026-04-16T12:55:00Z
3
value 0.00205
scoring_system epss
scoring_elements 0.42639
published_at 2026-04-13T12:55:00Z
4
value 0.00205
scoring_system epss
scoring_elements 0.42656
published_at 2026-04-12T12:55:00Z
5
value 0.00205
scoring_system epss
scoring_elements 0.42693
published_at 2026-04-11T12:55:00Z
6
value 0.00205
scoring_system epss
scoring_elements 0.42669
published_at 2026-04-09T12:55:00Z
7
value 0.00205
scoring_system epss
scoring_elements 0.42658
published_at 2026-04-08T12:55:00Z
8
value 0.00205
scoring_system epss
scoring_elements 0.42606
published_at 2026-04-07T12:55:00Z
9
value 0.00205
scoring_system epss
scoring_elements 0.42666
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-42369
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42369
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42369
2
reference_url https://github.com/matrix-org/matrix-js-sdk
reference_id
reference_type
scores
0
value 4.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/matrix-org/matrix-js-sdk
3
reference_url https://github.com/matrix-org/matrix-js-sdk/commit/a0efed8b881b3db6c9f2c71d6a6e74c2828978c6
reference_id
reference_type
scores
0
value 4.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T14:41:11Z/
url https://github.com/matrix-org/matrix-js-sdk/commit/a0efed8b881b3db6c9f2c71d6a6e74c2828978c6
4
reference_url https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm
reference_id
reference_type
scores
0
value 4.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T14:41:11Z/
url https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-42369
reference_id
reference_type
scores
0
value 4.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-42369
6
reference_url https://github.com/advisories/GHSA-vhr5-g3pm-49fm
reference_id GHSA-vhr5-g3pm-49fm
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vhr5-g3pm-49fm
fixed_packages
0
url pkg:npm/matrix-js-sdk@34.3.1
purl pkg:npm/matrix-js-sdk@34.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6szy-r2cd-9kfw
1
vulnerability VCID-qetp-58nm-4fes
2
vulnerability VCID-tj5a-r7hy-zfer
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@34.3.1
aliases CVE-2024-42369, GHSA-vhr5-g3pm-49fm
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9uwh-r958-gyg3
2
url VCID-qetp-58nm-4fes
vulnerability_id VCID-qetp-58nm-4fes
summary 
Matrix JavaScript SDK's key history sharing could share keys to malicious devices
### Impact
In matrix-js-sdk versions 9.11.0 through 34.7.0, the method `MatrixClient.sendSharedHistoryKeys` is vulnerable to interception by malicious homeservers.  The method implements functionality proposed in [MSC3061](https://github.com/matrix-org/matrix-spec-proposals/pull/3061) and can be used by clients to share historical message keys with newly invited users, granting them access to past messages in the room.

However, it unconditionally sends these "shared" keys to all of the invited user's devices, regardless of whether the user's cryptographic identity is verified or whether the user's devices are signed by that identity. This allows the attacker to potentially inject its own devices to receive sensitive historical keys without proper security checks.

Note that this only affects clients running the SDK with the legacy crypto stack. Clients using the new Rust cryptography stack (i.e. those that call `MatrixClient.initRustCrypto()` instead of `MatrixClient.initCrypto()`) are unaffected by this vulnerability, because `MatrixClient.sendSharedHistoryKeys()` raises an exception in such environments.

### Patches
Fixed in matrix-js-sdk 34.8.0 by removing the vulnerable functionality.

### Workarounds
Remove use of affected functionality from clients.

### References
- [MSC3061](https://github.com/matrix-org/matrix-spec-proposals/pull/3061)

### For more information
If you have any questions or comments about this advisory, please email us at [security at matrix.org](mailto:security@matrix.org).
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-47080
reference_id
reference_type
scores
0
value 0.0058
scoring_system epss
scoring_elements 0.68933
published_at 2026-04-18T12:55:00Z
1
value 0.0058
scoring_system epss
scoring_elements 0.68853
published_at 2026-04-04T12:55:00Z
2
value 0.0058
scoring_system epss
scoring_elements 0.68923
published_at 2026-04-16T12:55:00Z
3
value 0.0058
scoring_system epss
scoring_elements 0.68882
published_at 2026-04-13T12:55:00Z
4
value 0.0058
scoring_system epss
scoring_elements 0.68911
published_at 2026-04-12T12:55:00Z
5
value 0.0058
scoring_system epss
scoring_elements 0.68926
published_at 2026-04-11T12:55:00Z
6
value 0.0058
scoring_system epss
scoring_elements 0.68834
published_at 2026-04-07T12:55:00Z
7
value 0.0058
scoring_system epss
scoring_elements 0.68884
published_at 2026-04-08T12:55:00Z
8
value 0.0058
scoring_system epss
scoring_elements 0.68833
published_at 2026-04-02T12:55:00Z
9
value 0.0058
scoring_system epss
scoring_elements 0.68903
published_at 2026-04-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-47080
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47080
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47080
2
reference_url https://github.com/matrix-org/matrix-js-sdk
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/matrix-org/matrix-js-sdk
3
reference_url https://github.com/matrix-org/matrix-js-sdk/commit/2fb1e659c81f75253c047832dc9dcc2beddfac5f
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:34:15Z/
url https://github.com/matrix-org/matrix-js-sdk/commit/2fb1e659c81f75253c047832dc9dcc2beddfac5f
4
reference_url https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-4jf8-g8wp-cx7c
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:34:15Z/
url https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-4jf8-g8wp-cx7c
5
reference_url https://github.com/matrix-org/matrix-spec-proposals/pull/3061
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:34:15Z/
url https://github.com/matrix-org/matrix-spec-proposals/pull/3061
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-47080
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-47080
7
reference_url https://github.com/advisories/GHSA-4jf8-g8wp-cx7c
reference_id GHSA-4jf8-g8wp-cx7c
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4jf8-g8wp-cx7c
fixed_packages
0
url pkg:npm/matrix-js-sdk@34.8.0
purl pkg:npm/matrix-js-sdk@34.8.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6szy-r2cd-9kfw
1
vulnerability VCID-tj5a-r7hy-zfer
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@34.8.0
aliases CVE-2024-47080, GHSA-4jf8-g8wp-cx7c
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qetp-58nm-4fes
3
url VCID-tj5a-r7hy-zfer
vulnerability_id VCID-tj5a-r7hy-zfer
summary 
matrix-js-sdk has insufficient validation when considering a room to be upgraded by another
matrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in `MatrixClient::getJoinedRooms`, allowing a remote attacker to attempt to replace a tombstoned room with an unrelated attacker-supplied room.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-59160
reference_id
reference_type
scores
0
value 0.00079
scoring_system epss
scoring_elements 0.23658
published_at 2026-04-04T12:55:00Z
1
value 0.00079
scoring_system epss
scoring_elements 0.23575
published_at 2026-04-11T12:55:00Z
2
value 0.00079
scoring_system epss
scoring_elements 0.23557
published_at 2026-04-09T12:55:00Z
3
value 0.00079
scoring_system epss
scoring_elements 0.23508
published_at 2026-04-08T12:55:00Z
4
value 0.00079
scoring_system epss
scoring_elements 0.23437
published_at 2026-04-07T12:55:00Z
5
value 0.00079
scoring_system epss
scoring_elements 0.2362
published_at 2026-04-02T12:55:00Z
6
value 0.00085
scoring_system epss
scoring_elements 0.24658
published_at 2026-04-18T12:55:00Z
7
value 0.00085
scoring_system epss
scoring_elements 0.24665
published_at 2026-04-16T12:55:00Z
8
value 0.00085
scoring_system epss
scoring_elements 0.24652
published_at 2026-04-13T12:55:00Z
9
value 0.00085
scoring_system epss
scoring_elements 0.2471
published_at 2026-04-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-59160
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59160
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59160
2
reference_url https://github.com/matrix-org/matrix-js-sdk
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/matrix-org/matrix-js-sdk
3
reference_url https://github.com/matrix-org/matrix-js-sdk/commit/43c72d5bf5e2d0a26b3b4f71092e7cb39d4137c4
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-16T17:29:36Z/
url https://github.com/matrix-org/matrix-js-sdk/commit/43c72d5bf5e2d0a26b3b4f71092e7cb39d4137c4
4
reference_url https://github.com/matrix-org/matrix-js-sdk/releases/tag/v38.2.0
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/matrix-org/matrix-js-sdk/releases/tag/v38.2.0
5
reference_url https://www.npmjs.com/package/matrix-js-sdk/v/38.2.0
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/package/matrix-js-sdk/v/38.2.0
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-59160
reference_id CVE-2025-59160
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-59160
7
reference_url https://github.com/advisories/GHSA-mp7c-m3rh-r56v
reference_id GHSA-mp7c-m3rh-r56v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mp7c-m3rh-r56v
8
reference_url https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mp7c-m3rh-r56v
reference_id GHSA-mp7c-m3rh-r56v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-16T17:29:36Z/
url https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mp7c-m3rh-r56v
fixed_packages
0
url pkg:npm/matrix-js-sdk@38.2.0
purl pkg:npm/matrix-js-sdk@38.2.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@38.2.0
aliases CVE-2025-59160, GHSA-mp7c-m3rh-r56v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tj5a-r7hy-zfer
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@31.4.0-rc.0