VulnerableCode Package Details - pkg:npm/matrix-js-sdk@34.11.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-tj5a-r7hy-zfer Aliases: CVE-2025-59160 GHSA-mp7c-m3rh-r56v	matrix-js-sdk has insufficient validation when considering a room to be upgraded by another matrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in `MatrixClient::getJoinedRooms`, allowing a remote attacker to attempt to replace a tombstoned room with an unrelated attacker-supplied room.	38.2.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-tj5a-r7hy-zfer
Aliases:
CVE-2025-59160
GHSA-mp7c-m3rh-r56v

matrix-js-sdk has insufficient validation when considering a room to be upgraded by another matrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in `MatrixClient::getJoinedRooms`, allowing a remote attacker to attempt to replace a tombstoned room with an unrelated attacker-supplied room.

38.2.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-6szy-r2cd-9kfw	matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal ### Summary matrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver. ### Details The Matrix specification demands homeservers to [perform validation](https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5) of the `server-name` and `media-id` components of MXC URIs with the intent to prevent path traversal. However, it is not mentioned that a similar check must also be performed on the client to prevent client-side path traversal. matrix-js-sdk fails to perform this validation. ### Patches Fixed in matrix-js-sdk 34.11.1. ### Workarounds None. ### References - https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5 - https://blog.doyensec.com/2024/07/02/cspt2csrf.html	CVE-2024-50336 GHSA-xvg8-m4x3-w6xr

Vulnerability

Summary

Aliases

VCID-6szy-r2cd-9kfw

matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal ### Summary matrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver. ### Details The Matrix specification demands homeservers to [perform validation](https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5) of the `server-name` and `media-id` components of MXC URIs with the intent to prevent path traversal. However, it is not mentioned that a similar check must also be performed on the client to prevent *client-side* path traversal. matrix-js-sdk fails to perform this validation. ### Patches Fixed in matrix-js-sdk 34.11.1. ### Workarounds None. ### References - https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5 - https://blog.doyensec.com/2024/07/02/cspt2csrf.html

CVE-2024-50336
GHSA-xvg8-m4x3-w6xr

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T23:42:56.621881+00:00	GitLab Importer	Affected by	VCID-tj5a-r7hy-zfer	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/matrix-js-sdk/CVE-2025-59160.yml	38.4.0
2026-04-12T01:03:50.508003+00:00	GitLab Importer	Affected by	VCID-tj5a-r7hy-zfer	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/matrix-js-sdk/CVE-2025-59160.yml	38.3.0
2026-04-07T04:56:24.773488+00:00	GHSA Importer	Fixing	VCID-6szy-r2cd-9kfw	https://github.com/advisories/GHSA-xvg8-m4x3-w6xr	38.1.0
2026-04-03T01:12:09.940831+00:00	GitLab Importer	Affected by	VCID-tj5a-r7hy-zfer	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/matrix-js-sdk/CVE-2025-59160.yml	38.1.0
2026-04-02T12:40:23.206927+00:00	GitLab Importer	Fixing	VCID-6szy-r2cd-9kfw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/matrix-js-sdk/CVE-2024-50336.yml	38.0.0
2026-04-01T12:51:09.557526+00:00	GithubOSV Importer	Fixing	VCID-6szy-r2cd-9kfw	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-xvg8-m4x3-w6xr/GHSA-xvg8-m4x3-w6xr.json	38.0.0