VulnerableCode Package Details - pkg:npm/matrix-js-sdk@25.2.0-rc.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-urt4-v2ca-2beg Aliases: CVE-2024-47080 GHSA-4jf8-g8wp-cx7c	Matrix JavaScript SDK's key history sharing could share keys to malicious devices ### Impact In matrix-js-sdk versions 9.11.0 through 34.7.0, the method `MatrixClient.sendSharedHistoryKeys` is vulnerable to interception by malicious homeservers. The method implements functionality proposed in [MSC3061](https://github.com/matrix-org/matrix-spec-proposals/pull/3061) and can be used by clients to share historical message keys with newly invited users, granting them access to past messages in the room. However, it unconditionally sends these "shared" keys to all of the invited user's devices, regardless of whether the user's cryptographic identity is verified or whether the user's devices are signed by that identity. This allows the attacker to potentially inject its own devices to receive sensitive historical keys without proper security checks. Note that this only affects clients running the SDK with the legacy crypto stack. Clients using the new Rust cryptography stack (i.e. those that call `MatrixClient.initRustCrypto()` instead of `MatrixClient.initCrypto()`) are unaffected by this vulnerability, because `MatrixClient.sendSharedHistoryKeys()` raises an exception in such environments. ### Patches Fixed in matrix-js-sdk 34.8.0 by removing the vulnerable functionality. ### Workarounds Remove use of affected functionality from clients. ### References - [MSC3061](https://github.com/matrix-org/matrix-spec-proposals/pull/3061) ### For more information If you have any questions or comments about this advisory, please email us at [security at matrix.org](mailto:security@matrix.org).	34.8.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-xdp5-wxc4-6bbk Aliases: CVE-2024-50336 GHSA-xvg8-m4x3-w6xr	The Matrix specification demands homeservers to perform validation of the server-name and media-id components of MXC URIs with the intent to prevent path traversal. However, it is not mentioned that a similar check must also be performed on the client to prevent client-side path traversal. matrix-js-sdk fails to perform this validation.	34.11.1 Affected by 0 other vulnerabilities.
VCID-xfav-6f5n-sudb Aliases: CVE-2024-42369 GHSA-vhr5-g3pm-49fm	matrix-js-sdk will freeze when a user sets a room with itself as a its predecessor ### Impact A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's `getRoomUpgradeHistory` function will infinitely recurse in this case, causing the code to hang. This method is public but also called by the 'leaveRoomChain()' method, so leaving a room will also trigger the bug. Even if the CVSS score would be 4.1 ([AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L&version=3.1)) we classify this as High severity issue. ### Patches This was patched in matrix-js-sdk 34.3.1. ### Workarounds Sanity check rooms before passing them to the matrix-js-sdk or avoid calling either `getRoomUpgradeHistory` or `leaveRoomChain`. ### References N/A.	34.3.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-urt4-v2ca-2beg
Aliases:
CVE-2024-47080
GHSA-4jf8-g8wp-cx7c

Matrix JavaScript SDK's key history sharing could share keys to malicious devices ### Impact In matrix-js-sdk versions 9.11.0 through 34.7.0, the method `MatrixClient.sendSharedHistoryKeys` is vulnerable to interception by malicious homeservers. The method implements functionality proposed in [MSC3061](https://github.com/matrix-org/matrix-spec-proposals/pull/3061) and can be used by clients to share historical message keys with newly invited users, granting them access to past messages in the room. However, it unconditionally sends these "shared" keys to all of the invited user's devices, regardless of whether the user's cryptographic identity is verified or whether the user's devices are signed by that identity. This allows the attacker to potentially inject its own devices to receive sensitive historical keys without proper security checks. Note that this only affects clients running the SDK with the legacy crypto stack. Clients using the new Rust cryptography stack (i.e. those that call `MatrixClient.initRustCrypto()` instead of `MatrixClient.initCrypto()`) are unaffected by this vulnerability, because `MatrixClient.sendSharedHistoryKeys()` raises an exception in such environments. ### Patches Fixed in matrix-js-sdk 34.8.0 by removing the vulnerable functionality. ### Workarounds Remove use of affected functionality from clients. ### References - [MSC3061](https://github.com/matrix-org/matrix-spec-proposals/pull/3061) ### For more information If you have any questions or comments about this advisory, please email us at [security at matrix.org](mailto:security@matrix.org).

34.8.0
Affected by 1 other vulnerability.

VCID-xdp5-wxc4-6bbk
Aliases:
CVE-2024-50336
GHSA-xvg8-m4x3-w6xr

The Matrix specification demands homeservers to perform validation of the server-name and media-id components of MXC URIs with the intent to prevent path traversal. However, it is not mentioned that a similar check must also be performed on the client to prevent client-side path traversal. matrix-js-sdk fails to perform this validation.

34.11.1
Affected by 0 other vulnerabilities.

VCID-xfav-6f5n-sudb
Aliases:
CVE-2024-42369
GHSA-vhr5-g3pm-49fm

matrix-js-sdk will freeze when a user sets a room with itself as a its predecessor ### Impact A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's `getRoomUpgradeHistory` function will infinitely recurse in this case, causing the code to hang. This method is public but also called by the 'leaveRoomChain()' method, so leaving a room will also trigger the bug. Even if the CVSS score would be 4.1 ([AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L&version=3.1)) we classify this as High severity issue. ### Patches This was patched in matrix-js-sdk 34.3.1. ### Workarounds Sanity check rooms before passing them to the matrix-js-sdk or avoid calling either `getRoomUpgradeHistory` or `leaveRoomChain`. ### References N/A.

34.3.1
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T12:02:48.679642+00:00	GitLab Importer	Affected by	VCID-xdp5-wxc4-6bbk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/matrix-js-sdk/CVE-2024-50336.yml	37.0.0
2025-08-01T11:59:29.379153+00:00	GitLab Importer	Affected by	VCID-urt4-v2ca-2beg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/matrix-js-sdk/CVE-2024-47080.yml	37.0.0
2025-08-01T11:53:24.516113+00:00	GitLab Importer	Affected by	VCID-xfav-6f5n-sudb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/matrix-js-sdk/CVE-2024-42369.yml	37.0.0