Package Instance

Insufficient Verification of Data Authenticity
matrix-react-sdk is an npm package which is a Matrix SDK for React Javascript. In matrix-react-sdk, the user content sandbox can be abused to trick users into opening unexpected documents. The content is opened with a `blob` origin that cannot access Matrix user data, so messages and secrets are not at risk.

Matrix SDK for React's URL preview setting for a room is controllable by the HS
A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server.

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
matrix-react-sdk is a Matrix chat protocol SDK for React Javascript. In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the `Object.prototype`, disrupting matrix-react-sdk functionality, causing denial of service and potentially affecting program logic. This is fixed in matrix-react-sdk 3.69.0 and users are advised to upgrade. There are no known workarounds for this vulnerability. Note this advisory is distinct from GHSA-2x9c-qwgf-94xr which refers to a similar issue.

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
matrix-react-sdk is a Matrix chat protocol SDK for React Javascript. Events sent with special strings in key places can temporarily disrupt or impede the matrix-react-sdk from functioning properly, such as by causing room or event tile crashes. The remainder of the application can appear functional, though certain rooms/events will not be rendered. This issue has been fixed in matrix-react-sdk 3.53.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.

Unrestricted Upload of File with Dangerous Type
Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page., when uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file. This can only occur after several user interactions to open the preview in a separate tab. This only impacts the local user while in the process of uploading. It cannot be exploited remotely or by other users. This vulnerability is patched

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload. No cross-site scripting attack is possible due to the hardcoded content security policy. Version 3.71.0 of the SDK patches over the issue. As a workaround, restarting the client will clear the HTML injection.