Search for packages
| purl | pkg:npm/matrix-js-sdk@2.2.0-rc.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-6szy-r2cd-9kfw
Aliases: CVE-2024-50336 GHSA-xvg8-m4x3-w6xr |
matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal ### Summary matrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver. ### Details The Matrix specification demands homeservers to [perform validation](https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5) of the `server-name` and `media-id` components of MXC URIs with the intent to prevent path traversal. However, it is not mentioned that a similar check must also be performed on the client to prevent *client-side* path traversal. matrix-js-sdk fails to perform this validation. ### Patches Fixed in matrix-js-sdk 34.11.1. ### Workarounds None. ### References - https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5 - https://blog.doyensec.com/2024/07/02/cspt2csrf.html |
Affected by 1 other vulnerability. |
|
VCID-9747-ab3e-4bbg
Aliases: CVE-2023-29529 GHSA-6g67-q39g-r79q |
Missing Authorization matrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker will not appear to be participating in the call. This attack is possible because matrix-js-sdk's group call implementation accepts incoming direct calls from other users, even if they have not yet declared intent to participate in the group call, as a means of resolving a race condition in call setup. Affected versions do not restrict access to the user's outbound media in this case. Legacy 1:1 calls are unaffected. This is fixed in matrix-js-sdk 24.1.0. As a workaround, users may hold group calls in private rooms where only the exact users who are expected to participate in the call are present. |
Affected by 4 other vulnerabilities. |
|
VCID-9uwh-r958-gyg3
Aliases: CVE-2024-42369 GHSA-vhr5-g3pm-49fm |
matrix-js-sdk will freeze when a user sets a room with itself as a its predecessor ### Impact A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's `getRoomUpgradeHistory` function will infinitely recurse in this case, causing the code to hang. This method is public but also called by the 'leaveRoomChain()' method, so leaving a room will also trigger the bug. Even if the CVSS score would be 4.1 ([AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L&version=3.1)) we classify this as High severity issue. ### Patches This was patched in matrix-js-sdk 34.3.1. ### Workarounds Sanity check rooms before passing them to the matrix-js-sdk or avoid calling either `getRoomUpgradeHistory` or `leaveRoomChain`. ### References N/A. |
Affected by 3 other vulnerabilities. |
|
VCID-cw2e-p5x2-j7fu
Aliases: CVE-2022-36059 GHSA-rfv9-x7hh-xc32 |
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 19.4.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This issue has been fixed in matrix-js-sdk 19.4.0 and users are advised to upgrade. Users unable to upgrade may mitigate this issue by redacting applicable events, waiting for the sync processor to store data, and restarting the client. Alternatively, redacting the applicable events and clearing all storage will often fix most perceived issues. In some cases, no workarounds are possible. |
Affected by 10 other vulnerabilities. |
|
VCID-f4t7-jun7-3qh4
Aliases: CVE-2022-39250 GHSA-5w8r-8pgj-5jmf |
Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
Affected by 6 other vulnerabilities. |
|
VCID-fs3v-8fsn-uygj
Aliases: CVE-2023-28427 GHSA-mwq8-fjpf-c2gr |
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known workarounds for this vulnerability. |
Affected by 5 other vulnerabilities. |
|
VCID-qxh6-26ps-ykhu
Aliases: CVE-2022-39249 GHSA-6263-x97c-c4gg |
Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
Affected by 6 other vulnerabilities. |
|
VCID-r824-dgt3-wucc
Aliases: CVE-2022-39251 GHSA-r48r-j8fx-mq2c |
Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in arbitrary code execution. |
Affected by 6 other vulnerabilities. |
|
VCID-tj5a-r7hy-zfer
Aliases: CVE-2025-59160 GHSA-mp7c-m3rh-r56v |
matrix-js-sdk has insufficient validation when considering a room to be upgraded by another matrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in `MatrixClient::getJoinedRooms`, allowing a remote attacker to attempt to replace a tombstoned room with an unrelated attacker-supplied room. |
Affected by 0 other vulnerabilities. |
|
VCID-xewe-wx57-3yfd
Aliases: CVE-2021-40823 GHSA-23cm-x6j7-6hq3 |
Use of a Broken or Risky Cryptographic Algorithm There is a logic error in the room key sharing functionality of matrix-js-sdk (aka Matrix Javascript SDK). This allows the homeserver to decrypt end-to-end encrypted messages sent by affected clients. |
Affected by 11 other vulnerabilities. Affected by 11 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||