Search for packages
Package details: pkg:npm/matrix-js-sdk@38.2.0
purl pkg:npm/matrix-js-sdk@38.2.0
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-tu1c-47c3-p7cq matrix-js-sdk has insufficient validation when considering a room to be upgraded by another ### Impact matrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in `MatrixClient::getJoinedRooms`, allowing a remote attacker to attempt to replace a tombstoned room with an unrelated attacker-supplied room. ### Patches The issue has been patched and users should upgrade to 38.2.0. ### Workarounds Avoid using `MatrixClient::getJoinedRooms` in favour of `getRooms()` and filtering upgraded rooms separately. CVE-2025-59160
GHSA-mp7c-m3rh-r56v

Date Actor Action Vulnerability Source VulnerableCode Version
2025-09-17T05:46:19.161727+00:00 GHSA Importer Fixing VCID-tu1c-47c3-p7cq https://github.com/advisories/GHSA-mp7c-m3rh-r56v 37.0.0
2025-09-17T00:59:50.179627+00:00 GithubOSV Importer Fixing VCID-tu1c-47c3-p7cq https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-mp7c-m3rh-r56v/GHSA-mp7c-m3rh-r56v.json 37.0.0