Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/535097?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/535097?format=api", "purl": "pkg:npm/matrix-js-sdk@0.6.3", "type": "npm", "namespace": "", "name": "matrix-js-sdk", "version": "0.6.3", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "38.2.0", "latest_non_vulnerable_version": "38.2.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/5291?format=api", "vulnerability_id": "VCID-2b4g-ezdx-euad", "summary": "information disclosure", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-40823", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00162", "scoring_system": "epss", "scoring_elements": "0.36865", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00162", "scoring_system": "epss", "scoring_elements": "0.36904", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00162", "scoring_system": "epss", "scoring_elements": "0.36891", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00162", "scoring_system": "epss", "scoring_elements": "0.36929", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00162", "scoring_system": "epss", "scoring_elements": "0.36963", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00162", "scoring_system": "epss", "scoring_elements": "0.36957", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-40823" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40823", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40823" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/commit/894c24880da0e1cc81818f51c0db80e3c9fb2be9", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/commit/894c24880da0e1cc81818f51c0db80e3c9fb2be9" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v12.4.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v12.4.1" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-23cm-x6j7-6hq3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-23cm-x6j7-6hq3" }, { "reference_url": "https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994213", "reference_id": "994213", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994213" }, { "reference_url": "https://security.archlinux.org/ASA-202109-4", "reference_id": "ASA-202109-4", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202109-4" }, { "reference_url": "https://security.archlinux.org/ASA-202109-5", "reference_id": "ASA-202109-5", "reference_type": "", "scores": [], "url": "https://security.archlinux.org/ASA-202109-5" }, { "reference_url": "https://security.archlinux.org/AVG-2377", "reference_id": "AVG-2377", "reference_type": "", "scores": [ { "value": "High", "scoring_system": "archlinux", "scoring_elements": "" } ], "url": "https://security.archlinux.org/AVG-2377" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40823", "reference_id": "CVE-2021-40823", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40823" }, { "reference_url": "https://github.com/advisories/GHSA-23cm-x6j7-6hq3", "reference_id": "GHSA-23cm-x6j7-6hq3", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-23cm-x6j7-6hq3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58969?format=api", "purl": "pkg:npm/matrix-js-sdk@12.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5qky-f5t4-pufg" }, { "vulnerability": "VCID-dyhz-9pw7-5kfx" }, { "vulnerability": "VCID-fmvy-mvvs-h7gw" }, { "vulnerability": "VCID-j5fb-nvc6-8ka3" }, { "vulnerability": "VCID-peth-cw2p-z7bj" }, { "vulnerability": "VCID-rtku-qch5-jfah" }, { "vulnerability": "VCID-sgju-v2kk-23f9" }, { "vulnerability": "VCID-utme-k32f-2bgk" }, { "vulnerability": "VCID-uwfk-btzv-8uh5" }, { "vulnerability": "VCID-y1pp-ssrh-akg4" }, { "vulnerability": "VCID-ywbj-pvzd-77f5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@12.4.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/535315?format=api", "purl": "pkg:npm/matrix-js-sdk@12.5.0-rc.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5qky-f5t4-pufg" }, { "vulnerability": "VCID-dyhz-9pw7-5kfx" }, { "vulnerability": "VCID-fmvy-mvvs-h7gw" }, { "vulnerability": "VCID-j5fb-nvc6-8ka3" }, { "vulnerability": "VCID-peth-cw2p-z7bj" }, { "vulnerability": "VCID-rtku-qch5-jfah" }, { "vulnerability": "VCID-sgju-v2kk-23f9" }, { "vulnerability": "VCID-utme-k32f-2bgk" }, { "vulnerability": "VCID-uwfk-btzv-8uh5" }, { "vulnerability": "VCID-y1pp-ssrh-akg4" }, { "vulnerability": "VCID-ywbj-pvzd-77f5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@12.5.0-rc.1" } ], "aliases": [ "CVE-2021-40823", "GHSA-23cm-x6j7-6hq3" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2b4g-ezdx-euad" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/1776?format=api", "vulnerability_id": "VCID-5qky-f5t4-pufg", "summary": "Thunderbird users who use the Matrix chat protocol were vulnerable to an impersonation attack. An adversary could spoof historical messages from other users. Additionally, a malicious key backup to the user's account under certain unusual conditions in order to exfiltrate message keys.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39251.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39251.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39251", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00278", "scoring_system": "epss", "scoring_elements": "0.5152", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00278", "scoring_system": "epss", "scoring_elements": "0.51484", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00278", "scoring_system": "epss", "scoring_elements": "0.51464", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00278", "scoring_system": "epss", "scoring_elements": "0.51453", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00278", "scoring_system": "epss", "scoring_elements": "0.51498", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00278", "scoring_system": "epss", "scoring_elements": "0.51514", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39251" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39251", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39251" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:00Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:00Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-r48r-j8fx-mq2c", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:00Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-r48r-j8fx-mq2c" }, { "reference_url": "https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:00Z/" } ], "url": "https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39251", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39251" }, { "reference_url": "https://security.gentoo.org/glsa/202210-35", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:00Z/" } ], "url": "https://security.gentoo.org/glsa/202210-35" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021136", "reference_id": "1021136", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021136" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135396", "reference_id": "2135396", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135396" }, { "reference_url": "https://github.com/advisories/GHSA-r48r-j8fx-mq2c", "reference_id": "GHSA-r48r-j8fx-mq2c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r48r-j8fx-mq2c" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2022-43", "reference_id": "mfsa2022-43", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2022-43" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7178", "reference_id": "RHSA-2022:7178", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7178" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7181", "reference_id": "RHSA-2022:7181", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7181" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7182", "reference_id": "RHSA-2022:7182", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7182" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7183", "reference_id": "RHSA-2022:7183", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7183" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7184", "reference_id": "RHSA-2022:7184", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7184" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7190", "reference_id": "RHSA-2022:7190", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7190" }, { "reference_url": "https://usn.ubuntu.com/5724-1/", "reference_id": "USN-5724-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5724-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/145540?format=api", "purl": "pkg:npm/matrix-js-sdk@19.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-fmvy-mvvs-h7gw" }, { "vulnerability": "VCID-peth-cw2p-z7bj" }, { "vulnerability": "VCID-sgju-v2kk-23f9" }, { "vulnerability": "VCID-utme-k32f-2bgk" }, { "vulnerability": "VCID-uwfk-btzv-8uh5" }, { "vulnerability": "VCID-y1pp-ssrh-akg4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@19.7.0" } ], "aliases": [ "CVE-2022-39251", "GHSA-r48r-j8fx-mq2c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5qky-f5t4-pufg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/1774?format=api", "vulnerability_id": "VCID-dyhz-9pw7-5kfx", "summary": "Thunderbird users who use the Matrix chat protocol were vulnerable to an impersonation attack. A malicious server administrator could fake encrypted messages to look as if they were sent from another user on that server.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39249.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39249.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39249", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00477", "scoring_system": "epss", "scoring_elements": "0.65343", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00477", "scoring_system": "epss", "scoring_elements": "0.65354", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00477", "scoring_system": "epss", "scoring_elements": "0.65352", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00477", "scoring_system": "epss", "scoring_elements": "0.65302", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00477", "scoring_system": "epss", "scoring_elements": "0.65333", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39249" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39249", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39249" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:04Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:04Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6263-x97c-c4gg", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:04Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6263-x97c-c4gg" }, { "reference_url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3061", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:04Z/" } ], "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3061" }, { "reference_url": "https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:04Z/" } ], "url": "https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39249", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39249" }, { "reference_url": "https://security.gentoo.org/glsa/202210-35", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:04Z/" } ], "url": "https://security.gentoo.org/glsa/202210-35" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021136", "reference_id": "1021136", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021136" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135393", "reference_id": "2135393", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135393" }, { "reference_url": "https://github.com/advisories/GHSA-6263-x97c-c4gg", "reference_id": "GHSA-6263-x97c-c4gg", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6263-x97c-c4gg" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2022-43", "reference_id": "mfsa2022-43", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2022-43" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7178", "reference_id": "RHSA-2022:7178", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7178" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7181", "reference_id": "RHSA-2022:7181", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7181" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7182", "reference_id": "RHSA-2022:7182", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7182" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7183", "reference_id": "RHSA-2022:7183", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7183" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7184", "reference_id": "RHSA-2022:7184", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7184" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7190", "reference_id": "RHSA-2022:7190", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7190" }, { "reference_url": "https://usn.ubuntu.com/5724-1/", "reference_id": "USN-5724-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5724-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/145540?format=api", "purl": "pkg:npm/matrix-js-sdk@19.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-fmvy-mvvs-h7gw" }, { "vulnerability": "VCID-peth-cw2p-z7bj" }, { "vulnerability": "VCID-sgju-v2kk-23f9" }, { "vulnerability": "VCID-utme-k32f-2bgk" }, { "vulnerability": "VCID-uwfk-btzv-8uh5" }, { "vulnerability": "VCID-y1pp-ssrh-akg4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@19.7.0" } ], "aliases": [ "CVE-2022-39249", "GHSA-6263-x97c-c4gg" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dyhz-9pw7-5kfx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/1082?format=api", "vulnerability_id": "VCID-fmvy-mvvs-h7gw", "summary": "Thunderbird users who use the Matrix chat protocol were vulnerable to a denial-of-service attack.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28427.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-28427.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-28427", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00602", "scoring_system": "epss", "scoring_elements": "0.69943", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00602", "scoring_system": "epss", "scoring_elements": "0.6994", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00602", "scoring_system": "epss", "scoring_elements": "0.69917", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00602", "scoring_system": "epss", "scoring_elements": "0.69929", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00602", "scoring_system": "epss", "scoring_elements": "0.69934", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-28427" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0547", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0547" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1945", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1945" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1999", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1999" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28427", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28427" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29479", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29479" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29533", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29533" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29535", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29535" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29536", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29536" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29539", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29539" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29541", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29541" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29548", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29548" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29550", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29550" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00027.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-18T20:03:37Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00027.html" }, { "reference_url": "https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-18T20:03:37Z/" } ], "url": "https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0" }, { "reference_url": "https://security.gentoo.org/glsa/202305-36", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-18T20:03:37Z/" } ], "url": "https://security.gentoo.org/glsa/202305-36" }, { "reference_url": "https://www.debian.org/security/2023/dsa-5392", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-18T20:03:37Z/" } ], "url": "https://www.debian.org/security/2023/dsa-5392" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033621", "reference_id": "1033621", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033621" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2183278", "reference_id": "2183278", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2183278" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28427", "reference_id": "CVE-2023-28427", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28427" }, { "reference_url": "https://github.com/advisories/GHSA-mwq8-fjpf-c2gr", "reference_id": "GHSA-mwq8-fjpf-c2gr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mwq8-fjpf-c2gr" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr", "reference_id": "GHSA-mwq8-fjpf-c2gr", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-18T20:03:37Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32", "reference_id": "GHSA-rfv9-x7hh-xc32", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2023-12", "reference_id": "mfsa2023-12", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2023-12" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1802", "reference_id": "RHSA-2023:1802", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1802" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1803", "reference_id": "RHSA-2023:1803", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1803" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1804", "reference_id": "RHSA-2023:1804", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1804" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1805", "reference_id": "RHSA-2023:1805", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1805" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1806", "reference_id": "RHSA-2023:1806", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1806" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1809", "reference_id": "RHSA-2023:1809", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1809" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1810", "reference_id": "RHSA-2023:1810", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1810" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1811", "reference_id": "RHSA-2023:1811", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1811" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64435?format=api", "purl": "pkg:npm/matrix-js-sdk@24.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-peth-cw2p-z7bj" }, { "vulnerability": "VCID-sgju-v2kk-23f9" }, { "vulnerability": "VCID-utme-k32f-2bgk" }, { "vulnerability": "VCID-uwfk-btzv-8uh5" }, { "vulnerability": "VCID-y1pp-ssrh-akg4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@24.0.0" } ], "aliases": [ "CVE-2023-28427", "GHSA-mwq8-fjpf-c2gr" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fmvy-mvvs-h7gw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/1793?format=api", "vulnerability_id": "VCID-j5fb-nvc6-8ka3", "summary": "Thunderbird users who use the Matrix chat protocol were vulnerable to a denial-of-service attack. An adversary sharing a room with a user had the ability to carry out an attack against affected clients, making it not show all of a user's rooms or spaces and/or causing minor temporary corruption.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-36059.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-36059.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-36059", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.49055", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.49031", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.49018", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.49049", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.48994", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.49065", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-36059" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36059", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36059" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.4.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.4.0" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018970", "reference_id": "1018970", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018970" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2123258", "reference_id": "2123258", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2123258" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36059", "reference_id": "CVE-2022-36059", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36059" }, { "reference_url": "https://github.com/advisories/GHSA-rfv9-x7hh-xc32", "reference_id": "GHSA-rfv9-x7hh-xc32", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rfv9-x7hh-xc32" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32", "reference_id": "GHSA-rfv9-x7hh-xc32", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-18T20:05:25Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-rfv9-x7hh-xc32" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2022-38", "reference_id": "mfsa2022-38", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2022-38" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:6708", "reference_id": "RHSA-2022:6708", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:6708" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:6710", "reference_id": "RHSA-2022:6710", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:6710" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:6713", "reference_id": "RHSA-2022:6713", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:6713" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:6715", "reference_id": "RHSA-2022:6715", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:6715" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:6716", "reference_id": "RHSA-2022:6716", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:6716" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:6717", "reference_id": "RHSA-2022:6717", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:6717" }, { "reference_url": "https://usn.ubuntu.com/5663-1/", "reference_id": "USN-5663-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5663-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64438?format=api", "purl": "pkg:npm/matrix-js-sdk@19.4.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5qky-f5t4-pufg" }, { "vulnerability": "VCID-877t-h6w3-dkdf" }, { "vulnerability": "VCID-dyhz-9pw7-5kfx" }, { "vulnerability": "VCID-fmvy-mvvs-h7gw" }, { "vulnerability": "VCID-peth-cw2p-z7bj" }, { "vulnerability": "VCID-rtku-qch5-jfah" }, { "vulnerability": "VCID-sgju-v2kk-23f9" }, { "vulnerability": "VCID-utme-k32f-2bgk" }, { "vulnerability": "VCID-uwfk-btzv-8uh5" }, { "vulnerability": "VCID-y1pp-ssrh-akg4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@19.4.0" } ], "aliases": [ "CVE-2022-36059", "GHSA-rfv9-x7hh-xc32" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j5fb-nvc6-8ka3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47656?format=api", "vulnerability_id": "VCID-peth-cw2p-z7bj", "summary": "matrix-js-sdk has insufficient validation when considering a room to be upgraded by another\nmatrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in `MatrixClient::getJoinedRooms`, allowing a remote attacker to attempt to replace a tombstoned room with an unrelated attacker-supplied room.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-59160", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00108", "scoring_system": "epss", "scoring_elements": "0.2852", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00108", "scoring_system": "epss", "scoring_elements": "0.28515", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00108", "scoring_system": "epss", "scoring_elements": "0.28547", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00108", "scoring_system": "epss", "scoring_elements": "0.28585", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00108", "scoring_system": "epss", "scoring_elements": "0.28625", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-59160" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59160", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59160" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/commit/43c72d5bf5e2d0a26b3b4f71092e7cb39d4137c4", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-16T17:29:36Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/commit/43c72d5bf5e2d0a26b3b4f71092e7cb39d4137c4" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v38.2.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v38.2.0" }, { "reference_url": "https://www.npmjs.com/package/matrix-js-sdk/v/38.2.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/package/matrix-js-sdk/v/38.2.0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59160", "reference_id": "CVE-2025-59160", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59160" }, { "reference_url": "https://github.com/advisories/GHSA-mp7c-m3rh-r56v", "reference_id": "GHSA-mp7c-m3rh-r56v", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mp7c-m3rh-r56v" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mp7c-m3rh-r56v", "reference_id": "GHSA-mp7c-m3rh-r56v", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-16T17:29:36Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mp7c-m3rh-r56v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/70116?format=api", "purl": "pkg:npm/matrix-js-sdk@38.2.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@38.2.0" } ], "aliases": [ "CVE-2025-59160", "GHSA-mp7c-m3rh-r56v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-peth-cw2p-z7bj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/1775?format=api", "vulnerability_id": "VCID-rtku-qch5-jfah", "summary": "Thunderbird users who use the Matrix chat protocol were vulnerable to an impersonation attack. A malicious server administrator could interfere with cross-device verification to authenticate their own device.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39250.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39250.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39250", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00294", "scoring_system": "epss", "scoring_elements": "0.53005", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00294", "scoring_system": "epss", "scoring_elements": "0.5303", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00294", "scoring_system": "epss", "scoring_elements": "0.53055", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00294", "scoring_system": "epss", "scoring_elements": "0.53066", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00294", "scoring_system": "epss", "scoring_elements": "0.53073", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39250" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39250", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39250" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:35Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:35Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-5w8r-8pgj-5jmf", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:35Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-5w8r-8pgj-5jmf" }, { "reference_url": "https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:35Z/" } ], "url": "https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39250", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39250" }, { "reference_url": "https://security.gentoo.org/glsa/202210-35", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:50:35Z/" } ], "url": "https://security.gentoo.org/glsa/202210-35" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021136", "reference_id": "1021136", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021136" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135395", "reference_id": "2135395", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135395" }, { "reference_url": "https://github.com/advisories/GHSA-5w8r-8pgj-5jmf", "reference_id": "GHSA-5w8r-8pgj-5jmf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5w8r-8pgj-5jmf" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2022-43", "reference_id": "mfsa2022-43", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2022-43" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7178", "reference_id": "RHSA-2022:7178", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7178" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7181", "reference_id": "RHSA-2022:7181", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7181" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7182", "reference_id": "RHSA-2022:7182", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7182" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7183", "reference_id": "RHSA-2022:7183", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7183" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7184", "reference_id": "RHSA-2022:7184", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7184" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:7190", "reference_id": "RHSA-2022:7190", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:7190" }, { "reference_url": "https://usn.ubuntu.com/5724-1/", "reference_id": "USN-5724-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5724-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/145540?format=api", "purl": "pkg:npm/matrix-js-sdk@19.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-fmvy-mvvs-h7gw" }, { "vulnerability": "VCID-peth-cw2p-z7bj" }, { "vulnerability": "VCID-sgju-v2kk-23f9" }, { "vulnerability": "VCID-utme-k32f-2bgk" }, { "vulnerability": "VCID-uwfk-btzv-8uh5" }, { "vulnerability": "VCID-y1pp-ssrh-akg4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@19.7.0" } ], "aliases": [ "CVE-2022-39250", "GHSA-5w8r-8pgj-5jmf" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rtku-qch5-jfah" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55711?format=api", "vulnerability_id": "VCID-sgju-v2kk-23f9", "summary": "matrix-js-sdk will freeze when a user sets a room with itself as a its predecessor\nA malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's `getRoomUpgradeHistory` function will infinitely recurse in this case, causing the code to hang. This method is public but also called by the 'leaveRoomChain()' method, so leaving a room will also trigger the bug.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42369", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00205", "scoring_system": "epss", "scoring_elements": "0.42624", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00205", "scoring_system": "epss", "scoring_elements": "0.42597", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00205", "scoring_system": "epss", "scoring_elements": "0.42588", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00205", "scoring_system": "epss", "scoring_elements": "0.42651", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00205", "scoring_system": "epss", "scoring_elements": "0.4264", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-42369" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42369", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42369" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/commit/a0efed8b881b3db6c9f2c71d6a6e74c2828978c6", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T14:41:11Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/commit/a0efed8b881b3db6c9f2c71d6a6e74c2828978c6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42369", "reference_id": "CVE-2024-42369", "reference_type": "", "scores": [ { "value": "4.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42369" }, { "reference_url": "https://github.com/advisories/GHSA-vhr5-g3pm-49fm", "reference_id": "GHSA-vhr5-g3pm-49fm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vhr5-g3pm-49fm" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm", "reference_id": "GHSA-vhr5-g3pm-49fm", "reference_type": "", "scores": [ { "value": "4.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T14:41:11Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/82424?format=api", "purl": "pkg:npm/matrix-js-sdk@34.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-peth-cw2p-z7bj" }, { "vulnerability": "VCID-utme-k32f-2bgk" }, { "vulnerability": "VCID-y1pp-ssrh-akg4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@34.3.1" } ], "aliases": [ "CVE-2024-42369", "GHSA-vhr5-g3pm-49fm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sgju-v2kk-23f9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/215?format=api", "vulnerability_id": "VCID-utme-k32f-2bgk", "summary": "The Matrix specification demands homeservers to perform validation of the server-name and media-id components of MXC URIs with the intent to prevent path traversal. However, it is not mentioned that a similar check must also be performed on the client to prevent client-side path traversal. matrix-js-sdk fails to perform this validation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-50336", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00877", "scoring_system": "epss", "scoring_elements": "0.75667", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00877", "scoring_system": "epss", "scoring_elements": "0.75693", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00877", "scoring_system": "epss", "scoring_elements": "0.75686", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00877", "scoring_system": "epss", "scoring_elements": "0.75689", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00877", "scoring_system": "epss", "scoring_elements": "0.75679", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-50336" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50336", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50336" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00004.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00004.html" }, { "reference_url": "https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-12T17:11:23Z/" } ], "url": "https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50336", "reference_id": "CVE-2024-50336", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50336" }, { "reference_url": "https://github.com/advisories/GHSA-xvg8-m4x3-w6xr", "reference_id": "GHSA-xvg8-m4x3-w6xr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xvg8-m4x3-w6xr" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-xvg8-m4x3-w6xr", "reference_id": "GHSA-xvg8-m4x3-w6xr", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-12T17:11:23Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-xvg8-m4x3-w6xr" }, { "reference_url": "https://security.gentoo.org/glsa/202505-03", "reference_id": "GLSA-202505-03", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202505-03" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2024-69", "reference_id": "mfsa2024-69", "reference_type": "", "scores": [ { "value": "none", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2024-69" }, { "reference_url": "https://www.mozilla.org/en-US/security/advisories/mfsa2025-04", "reference_id": "mfsa2025-04", "reference_type": "", "scores": [ { "value": "high", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2025-04" }, { "reference_url": "https://usn.ubuntu.com/7991-1/", "reference_id": "USN-7991-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7991-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83207?format=api", "purl": "pkg:npm/matrix-js-sdk@34.11.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-peth-cw2p-z7bj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@34.11.1" } ], "aliases": [ "CVE-2024-50336", "GHSA-xvg8-m4x3-w6xr" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-utme-k32f-2bgk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44951?format=api", "vulnerability_id": "VCID-uwfk-btzv-8uh5", "summary": "Missing Authorization\nmatrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker will not appear to be participating in the call. This attack is possible because matrix-js-sdk's group call implementation accepts incoming direct calls from other users, even if they have not yet declared intent to participate in the group call, as a means of resolving a race condition in call setup. Affected versions do not restrict access to the user's outbound media in this case. Legacy 1:1 calls are unaffected. This is fixed in matrix-js-sdk 24.1.0. As a workaround, users may hold group calls in private rooms where only the exact users who are expected to participate in the call are present.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29529", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.39983", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.39973", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.39956", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40011", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40008", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29529" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29529", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29529" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/matrix-org/matrix-js-sdk" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v24.1.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-06T18:45:25Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/releases/tag/v24.1.0" }, { "reference_url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3401", "reference_id": "", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-06T18:45:25Z/" } ], "url": "https://github.com/matrix-org/matrix-spec-proposals/pull/3401" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29529", "reference_id": "CVE-2023-29529", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29529" }, { "reference_url": "https://github.com/advisories/GHSA-6g67-q39g-r79q", "reference_id": "GHSA-6g67-q39g-r79q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6g67-q39g-r79q" }, { "reference_url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6g67-q39g-r79q", "reference_id": "GHSA-6g67-q39g-r79q", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-06T18:45:25Z/" } ], "url": "https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6g67-q39g-r79q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64716?format=api", "purl": "pkg:npm/matrix-js-sdk@24.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-peth-cw2p-z7bj" }, { "vulnerability": "VCID-sgju-v2kk-23f9" }, { "vulnerability": "VCID-utme-k32f-2bgk" }, { "vulnerability": "VCID-y1pp-ssrh-akg4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@24.1.0" } ], "aliases": [ "CVE-2023-29529", "GHSA-6g67-q39g-r79q" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uwfk-btzv-8uh5" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@0.6.3" }