Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/matrix-react-sdk@3.70.0

Type npm

Namespace

Name matrix-react-sdk

Version 3.70.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 3.105.1

Latest_non_vulnerable_version 3.105.1

Affected_by_vulnerabilities

url VCID-bes7-x6f3-a3d5

vulnerability_id VCID-bes7-x6f3-a3d5

summary matrix-react-sdk is react-based software development kit for inserting a Matrix chat/VOIP client into a web page. Starting in version 3.18.0 and before 3.102.0, matrix-react-sdk allows a malicious homeserver to potentially steal message keys for a room when a user invites another user to that room, via injection of a malicious device controlled by the homeserver. This is possible because matrix-react-sdk before 3.102.0 shared historical message keys on invite. Version 3.102.0 fixes this issue by disabling sharing message keys on invite by removing calls to the vulnerable functionality. No known workarounds are available.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-47824

reference_id

reference_type

scores

value	0.00526
scoring_system	epss
scoring_elements	0.67536
published_at	2026-06-12T12:55:00Z

value	0.00526
scoring_system	epss
scoring_elements	0.67445
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-47824

reference_url

https://github.com/matrix-org/matrix-react-sdk

reference_id

reference_type

scores

value	0.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/matrix-org/matrix-react-sdk

reference_url

https://github.com/matrix-org/matrix-react-sdk/pull/12618

reference_id

12618

reference_type

scores

value	0.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T16:35:51Z/

url

https://github.com/matrix-org/matrix-react-sdk/pull/12618

reference_url

https://github.com/matrix-org/matrix-react-sdk/commit/6fc9d7641c51ca3db8225cf58b9d6e6fdd2d6556

reference_id

6fc9d7641c51ca3db8225cf58b9d6e6fdd2d6556

reference_type

scores

value	0.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T16:35:51Z/

url

https://github.com/matrix-org/matrix-react-sdk/commit/6fc9d7641c51ca3db8225cf58b9d6e6fdd2d6556

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-47824

reference_id

CVE-2024-47824

reference_type

scores

value	0.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-47824

reference_url

https://github.com/advisories/GHSA-qcvh-p9jq-wp8v

reference_id

GHSA-qcvh-p9jq-wp8v

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-qcvh-p9jq-wp8v

reference_url

https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-qcvh-p9jq-wp8v

reference_id

GHSA-qcvh-p9jq-wp8v

reference_type

scores

value	0.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T16:35:51Z/

url

https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-qcvh-p9jq-wp8v

fixed_packages

url pkg:npm/matrix-react-sdk@3.102.0

purl pkg:npm/matrix-react-sdk@3.102.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kn97-djqr-6qbf

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/matrix-react-sdk@3.102.0

aliases CVE-2024-47824, GHSA-qcvh-p9jq-wp8v

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bes7-x6f3-a3d5

url VCID-bumj-5kms-q7gg

vulnerability_id VCID-bumj-5kms-q7gg

summary matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored Cross site scripting (XSS). Since the Export Chat feature generates a separate document, an attacker can only inject code run from the `null` origin, restricting the impact. However, the attacker can still potentially use the XSS to leak message contents. A malicious homeserver is a potential attacker since the affected inputs are controllable server-side. This issue has been addressed in commit `22fcd34c60` which is included in release version 3.76.0. Users are advised to upgrade. The only known workaround for this issue is to disable or to not use the Export Chat feature.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-37259

reference_id

reference_type

scores

value	0.00245
scoring_system	epss
scoring_elements	0.47993
published_at	2026-06-11T12:55:00Z

value	0.00245
scoring_system	epss
scoring_elements	0.48132
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-37259

reference_url

https://github.com/matrix-org/matrix-react-sdk

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/matrix-org/matrix-react-sdk

reference_url

https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.76.0

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.76.0

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-37259

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-37259

reference_url

https://github.com/matrix-org/matrix-react-sdk/commit/22fcd34c606f32129ebc967fc21f24fb708a98b8

reference_id

22fcd34c606f32129ebc967fc21f24fb708a98b8

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-18T16:07:19Z/

url

https://github.com/matrix-org/matrix-react-sdk/commit/22fcd34c606f32129ebc967fc21f24fb708a98b8

reference_url

https://github.com/advisories/GHSA-c9vx-2g7w-rp65

reference_id

GHSA-c9vx-2g7w-rp65

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-c9vx-2g7w-rp65

reference_url

https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-c9vx-2g7w-rp65

reference_id

GHSA-c9vx-2g7w-rp65

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-18T16:07:19Z/

url

https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-c9vx-2g7w-rp65

fixed_packages

url pkg:npm/matrix-react-sdk@3.76.0

purl pkg:npm/matrix-react-sdk@3.76.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bes7-x6f3-a3d5

vulnerability	VCID-kn97-djqr-6qbf

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/matrix-react-sdk@3.76.0

aliases CVE-2023-37259, GHSA-c9vx-2g7w-rp65

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bumj-5kms-q7gg

url VCID-kn97-djqr-6qbf

vulnerability_id VCID-kn97-djqr-6qbf

summary matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server. This was patched in matrix-react-sdk 3.105.0. Deployments that trust their homeservers, as well as closed federations of trusted servers, are not affected. Users are advised to upgrade. There are no known workarounds for this vulnerability.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-42347

reference_id

reference_type

scores

value	0.00766
scoring_system	epss
scoring_elements	0.73976
published_at	2026-06-12T12:55:00Z

value	0.00766
scoring_system	epss
scoring_elements	0.73902
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-42347

reference_url

https://github.com/matrix-org/matrix-react-sdk

reference_id

reference_type

scores

value	4.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/U:Red

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/matrix-org/matrix-react-sdk

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-42347

reference_id

CVE-2024-42347

reference_type

scores

value	4.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/U:Red

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-42347

reference_url

https://github.com/advisories/GHSA-f83w-wqhc-cfp4

reference_id

GHSA-f83w-wqhc-cfp4

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-f83w-wqhc-cfp4

reference_url

https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-f83w-wqhc-cfp4

reference_id

GHSA-f83w-wqhc-cfp4

reference_type

scores

value	4.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

value	7.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/U:Red

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:48:06Z/

url

https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-f83w-wqhc-cfp4

reference_url

https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.105.1

reference_id

v3.105.1

reference_type

scores

value	4.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

value	7.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/U:Red

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-08T18:48:06Z/

url

https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.105.1

fixed_packages

url	pkg:npm/matrix-react-sdk@3.105.1
purl	pkg:npm/matrix-react-sdk@3.105.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/matrix-react-sdk@3.105.1

aliases CVE-2024-42347, GHSA-f83w-wqhc-cfp4

risk_score 3.5

exploitability 0.5

weighted_severity 6.9

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kn97-djqr-6qbf

url VCID-wkbt-xxar-vqh4

vulnerability_id VCID-wkbt-xxar-vqh4

summary matrix-react-sdk is a react-based SDK for inserting a Matrix chat/VoIP client into a web page. Prior to version 3.71.0, plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload. No cross-site scripting attack is possible due to the hardcoded content security policy. Version 3.71.0 of the SDK patches over the issue. As a workaround, restarting the client will clear the HTML injection.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-30609

reference_id

reference_type

scores

value	0.00575
scoring_system	epss
scoring_elements	0.69251
published_at	2026-06-11T12:55:00Z

value	0.00575
scoring_system	epss
scoring_elements	0.69343
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-30609

reference_url

https://github.com/matrix-org/matrix-react-sdk

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/matrix-org/matrix-react-sdk

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-30609

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-30609

reference_url

https://github.com/matrix-org/matrix-react-sdk/commit/bf182bc94556849d7acdfa0e5fdea2aa129ea826

reference_id

bf182bc94556849d7acdfa0e5fdea2aa129ea826

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-03T17:54:49Z/

url

https://github.com/matrix-org/matrix-react-sdk/commit/bf182bc94556849d7acdfa0e5fdea2aa129ea826

reference_url

https://github.com/advisories/GHSA-xv83-x443-7rmw

reference_id

GHSA-xv83-x443-7rmw

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-xv83-x443-7rmw

reference_url

https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-xv83-x443-7rmw

reference_id

GHSA-xv83-x443-7rmw

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-03T17:54:49Z/

url

https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-xv83-x443-7rmw

reference_url

https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.71.0

reference_id

v3.71.0

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-03T17:54:49Z/

url

https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.71.0

fixed_packages

url pkg:npm/matrix-react-sdk@3.71.0

purl pkg:npm/matrix-react-sdk@3.71.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bes7-x6f3-a3d5

vulnerability	VCID-bumj-5kms-q7gg

vulnerability	VCID-kn97-djqr-6qbf

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/matrix-react-sdk@3.71.0

aliases CVE-2023-30609, GHSA-xv83-x443-7rmw

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wkbt-xxar-vqh4

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/matrix-react-sdk@3.70.0

Package Instance