{"url":"http://public2.vulnerablecode.io/api/packages/622040?format=json","purl":"pkg:npm/matrix-js-sdk@24.1.0-rc.1","type":"npm","namespace":"","name":"matrix-js-sdk","version":"24.1.0-rc.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"38.2.0","latest_non_vulnerable_version":"38.2.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41030?format=json","vulnerability_id":"VCID-cjfe-qh1a-6bfc","summary":"matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's getRoomUpgradeHistory function will infinitely recurse in this case, causing the code to hang. This method is public but also called by the 'leaveRoomChain()' method, so leaving a room will also trigger the bug. This was patched in matrix-js-sdk 34.3.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42369","reference_id":"","reference_type":"","scores":[{"value":"0.00205","scoring_system":"epss","scoring_elements":"0.42661","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00205","scoring_system":"epss","scoring_elements":"0.42832","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00205","scoring_system":"epss","scoring_elements":"0.42822","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00205","scoring_system":"epss","scoring_elements":"0.42842","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-42369"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42369","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42369"},{"reference_url":"https://github.com/matrix-org/matrix-js-sdk","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/matrix-js-sdk"},{"reference_url":"https://github.com/matrix-org/matrix-js-sdk/commit/a0efed8b881b3db6c9f2c71d6a6e74c2828978c6","reference_id":"a0efed8b881b3db6c9f2c71d6a6e74c2828978c6","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T14:41:11Z/"}],"url":"https://github.com/matrix-org/matrix-js-sdk/commit/a0efed8b881b3db6c9f2c71d6a6e74c2828978c6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42369","reference_id":"CVE-2024-42369","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42369"},{"reference_url":"https://github.com/advisories/GHSA-vhr5-g3pm-49fm","reference_id":"GHSA-vhr5-g3pm-49fm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vhr5-g3pm-49fm"},{"reference_url":"https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm","reference_id":"GHSA-vhr5-g3pm-49fm","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T14:41:11Z/"}],"url":"https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33048?format=json","purl":"pkg:npm/matrix-js-sdk@34.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-k23m-f2ma-guc5"},{"vulnerability":"VCID-rve8-bh5h-g7fz"},{"vulnerability":"VCID-uuqj-sdvf-abdn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@34.3.1"}],"aliases":["CVE-2024-42369","GHSA-vhr5-g3pm-49fm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cjfe-qh1a-6bfc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/100792?format=json","vulnerability_id":"VCID-k23m-f2ma-guc5","summary":"Matrix JavaScript SDK is a Matrix Client-Server SDK for JavaScript and TypeScript. matrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in MatrixClient::getJoinedRooms, allowing a remote attacker to attempt to replace a tombstoned room with an unrelated attacker-supplied room. The issue has been patched and users should upgrade to 38.2.0. A workaround is to avoid using MatrixClient::getJoinedRooms in favor of getRooms() and filtering upgraded rooms separately.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-59160","reference_id":"","reference_type":"","scores":[{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28769","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28758","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28743","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28548","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-59160"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59160","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59160"},{"reference_url":"https://github.com/matrix-org/matrix-js-sdk","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/matrix-js-sdk"},{"reference_url":"https://github.com/matrix-org/matrix-js-sdk/releases/tag/v38.2.0","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/matrix-js-sdk/releases/tag/v38.2.0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59160","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59160"},{"reference_url":"https://www.npmjs.com/package/matrix-js-sdk/v/38.2.0","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/package/matrix-js-sdk/v/38.2.0"},{"reference_url":"https://github.com/matrix-org/matrix-js-sdk/commit/43c72d5bf5e2d0a26b3b4f71092e7cb39d4137c4","reference_id":"43c72d5bf5e2d0a26b3b4f71092e7cb39d4137c4","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-16T17:29:36Z/"}],"url":"https://github.com/matrix-org/matrix-js-sdk/commit/43c72d5bf5e2d0a26b3b4f71092e7cb39d4137c4"},{"reference_url":"https://github.com/advisories/GHSA-mp7c-m3rh-r56v","reference_id":"GHSA-mp7c-m3rh-r56v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mp7c-m3rh-r56v"},{"reference_url":"https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mp7c-m3rh-r56v","reference_id":"GHSA-mp7c-m3rh-r56v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-16T17:29:36Z/"}],"url":"https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mp7c-m3rh-r56v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376566?format=json","purl":"pkg:npm/matrix-js-sdk@38.2.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@38.2.0"}],"aliases":["CVE-2025-59160","GHSA-mp7c-m3rh-r56v"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k23m-f2ma-guc5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/140868?format=json","vulnerability_id":"VCID-n8jg-38q6-hyf8","summary":"matrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker will not appear to be participating in the call. This attack is possible because matrix-js-sdk's group call implementation accepts incoming direct calls from other users, even if they have not yet declared intent to participate in the group call, as a means of resolving a race condition in call setup. Affected versions do not restrict access to the user's outbound media in this case. Legacy 1:1 calls are unaffected. This is fixed in matrix-js-sdk 24.1.0. As a workaround, users may hold group calls in private rooms where only the exact users who are expected to participate in the call are present.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29529","reference_id":"","reference_type":"","scores":[{"value":"0.00184","scoring_system":"epss","scoring_elements":"0.40022","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00184","scoring_system":"epss","scoring_elements":"0.40203","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00184","scoring_system":"epss","scoring_elements":"0.40214","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00184","scoring_system":"epss","scoring_elements":"0.40191","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29529"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29529","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29529"},{"reference_url":"https://github.com/matrix-org/matrix-js-sdk","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/matrix-js-sdk"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29529","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29529"},{"reference_url":"https://github.com/matrix-org/matrix-spec-proposals/pull/3401","reference_id":"3401","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-06T18:45:25Z/"}],"url":"https://github.com/matrix-org/matrix-spec-proposals/pull/3401"},{"reference_url":"https://github.com/advisories/GHSA-6g67-q39g-r79q","reference_id":"GHSA-6g67-q39g-r79q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6g67-q39g-r79q"},{"reference_url":"https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6g67-q39g-r79q","reference_id":"GHSA-6g67-q39g-r79q","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-06T18:45:25Z/"}],"url":"https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6g67-q39g-r79q"},{"reference_url":"https://github.com/matrix-org/matrix-js-sdk/releases/tag/v24.1.0","reference_id":"v24.1.0","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-06T18:45:25Z/"}],"url":"https://github.com/matrix-org/matrix-js-sdk/releases/tag/v24.1.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/379376?format=json","purl":"pkg:npm/matrix-js-sdk@24.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cjfe-qh1a-6bfc"},{"vulnerability":"VCID-k23m-f2ma-guc5"},{"vulnerability":"VCID-rve8-bh5h-g7fz"},{"vulnerability":"VCID-uuqj-sdvf-abdn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@24.1.0"}],"aliases":["CVE-2023-29529","GHSA-6g67-q39g-r79q"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n8jg-38q6-hyf8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/58012?format=json","vulnerability_id":"VCID-rve8-bh5h-g7fz","summary":"matrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. In matrix-js-sdk versions versions 9.11.0 through 34.7.0, the method `MatrixClient.sendSharedHistoryKeys` is vulnerable to interception by malicious homeservers.  The method was introduced by MSC3061) and is commonly used to share historical message keys with newly invited users, granting them access to past messages in the room. However, it unconditionally sends these \"shared\" keys to all of the invited user's devices, regardless of whether the user's cryptographic identity is verified or whether the user's devices are signed by that identity. This allows the attacker to potentially inject its own devices to receive sensitive historical keys without proper security checks. Note that this only affects clients running the SDK with the legacy crypto stack. Clients using the new Rust cryptography stack (i.e. those that call `MatrixClient.initRustCrypto()` instead of `MatrixClient.initCrypto()`) are unaffected by this vulnerability, because `MatrixClient.sendSharedHistoryKeys()` raises an exception in such environments. The vulnerability was fixed in matrix-js-sdk 34.8.0 by removing the vulnerable functionality. As a workaround, remove use of affected functionality from clients.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47080","reference_id":"","reference_type":"","scores":[{"value":"0.0058","scoring_system":"epss","scoring_elements":"0.69473","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0058","scoring_system":"epss","scoring_elements":"0.69475","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0058","scoring_system":"epss","scoring_elements":"0.69462","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0058","scoring_system":"epss","scoring_elements":"0.6937","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47080"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47080","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47080"},{"reference_url":"https://github.com/matrix-org/matrix-js-sdk","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/matrix-js-sdk"},{"reference_url":"https://github.com/matrix-org/matrix-js-sdk/commit/2fb1e659c81f75253c047832dc9dcc2beddfac5f","reference_id":"2fb1e659c81f75253c047832dc9dcc2beddfac5f","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:34:15Z/"}],"url":"https://github.com/matrix-org/matrix-js-sdk/commit/2fb1e659c81f75253c047832dc9dcc2beddfac5f"},{"reference_url":"https://github.com/matrix-org/matrix-spec-proposals/pull/3061","reference_id":"3061","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:34:15Z/"}],"url":"https://github.com/matrix-org/matrix-spec-proposals/pull/3061"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47080","reference_id":"CVE-2024-47080","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47080"},{"reference_url":"https://github.com/advisories/GHSA-4jf8-g8wp-cx7c","reference_id":"GHSA-4jf8-g8wp-cx7c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4jf8-g8wp-cx7c"},{"reference_url":"https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-4jf8-g8wp-cx7c","reference_id":"GHSA-4jf8-g8wp-cx7c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:34:15Z/"}],"url":"https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-4jf8-g8wp-cx7c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33864?format=json","purl":"pkg:npm/matrix-js-sdk@34.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-k23m-f2ma-guc5"},{"vulnerability":"VCID-uuqj-sdvf-abdn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@34.8.0"}],"aliases":["CVE-2024-47080","GHSA-4jf8-g8wp-cx7c"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rve8-bh5h-g7fz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/21429?format=json","vulnerability_id":"VCID-uuqj-sdvf-abdn","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-50336","reference_id":"","reference_type":"","scores":[{"value":"0.00877","scoring_system":"epss","scoring_elements":"0.75739","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00877","scoring_system":"epss","scoring_elements":"0.75819","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00877","scoring_system":"epss","scoring_elements":"0.75823","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00877","scoring_system":"epss","scoring_elements":"0.7581","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-50336"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50336","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50336"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/matrix-org/matrix-js-sdk","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/matrix-org/matrix-js-sdk"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00004.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00004.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50336","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50336"},{"reference_url":"https://github.com/advisories/GHSA-xvg8-m4x3-w6xr","reference_id":"GHSA-xvg8-m4x3-w6xr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xvg8-m4x3-w6xr"},{"reference_url":"https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-xvg8-m4x3-w6xr","reference_id":"GHSA-xvg8-m4x3-w6xr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-12T17:11:23Z/"}],"url":"https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-xvg8-m4x3-w6xr"},{"reference_url":"https://security.gentoo.org/glsa/202505-03","reference_id":"GLSA-202505-03","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202505-03"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2024-69","reference_id":"mfsa2024-69","reference_type":"","scores":[{"value":"none","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2024-69"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2025-04","reference_id":"mfsa2025-04","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2025-04"},{"reference_url":"https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5","reference_id":"#security-considerations-5","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-12T17:11:23Z/"}],"url":"https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5"},{"reference_url":"https://usn.ubuntu.com/7991-1/","reference_id":"USN-7991-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7991-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372864?format=json","purl":"pkg:npm/matrix-js-sdk@34.11.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-k23m-f2ma-guc5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@34.11.1"}],"aliases":["CVE-2024-50336","GHSA-xvg8-m4x3-w6xr"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uuqj-sdvf-abdn"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/matrix-js-sdk@24.1.0-rc.1"}