Search for vulnerabilities
Vulnerability details: VCID-xfav-6f5n-sudb
Vulnerability ID VCID-xfav-6f5n-sudb
Aliases CVE-2024-42369
GHSA-vhr5-g3pm-49fm
Summary matrix-js-sdk will freeze when a user sets a room with itself as a its predecessor ### Impact A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's `getRoomUpgradeHistory` function will infinitely recurse in this case, causing the code to hang. This method is public but also called by the 'leaveRoomChain()' method, so leaving a room will also trigger the bug. Even if the CVSS score would be 4.1 ([AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L&version=3.1)) we classify this as High severity issue. ### Patches This was patched in matrix-js-sdk 34.3.1. ### Workarounds Sanity check rooms before passing them to the matrix-js-sdk or avoid calling either `getRoomUpgradeHistory` or `leaveRoomChain`. ### References N/A.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-674 Uncontrolled Recursion
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2024-42369
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-vhr5-g3pm-49fm
cvssv3.1 4.1 https://github.com/matrix-org/matrix-js-sdk
generic_textual MODERATE https://github.com/matrix-org/matrix-js-sdk
cvssv3.1 4.1 https://github.com/matrix-org/matrix-js-sdk/commit/a0efed8b881b3db6c9f2c71d6a6e74c2828978c6
generic_textual MODERATE https://github.com/matrix-org/matrix-js-sdk/commit/a0efed8b881b3db6c9f2c71d6a6e74c2828978c6
ssvc Track https://github.com/matrix-org/matrix-js-sdk/commit/a0efed8b881b3db6c9f2c71d6a6e74c2828978c6
cvssv3.1 4.1 https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm
cvssv3.1_qr MODERATE https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm
generic_textual MODERATE https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm
ssvc Track https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm
cvssv3.1 4.1 https://nvd.nist.gov/vuln/detail/CVE-2024-42369
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2024-42369
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2024-42369
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-42369
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42369
https://github.com/matrix-org/matrix-js-sdk
https://github.com/matrix-org/matrix-js-sdk/commit/a0efed8b881b3db6c9f2c71d6a6e74c2828978c6
https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm
https://nvd.nist.gov/vuln/detail/CVE-2024-42369
cpe:2.3:a:matrix:javascript_sdk:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:matrix:javascript_sdk:*:*:*:*:*:*:*:*
GHSA-vhr5-g3pm-49fm https://github.com/advisories/GHSA-vhr5-g3pm-49fm
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L Found at https://github.com/matrix-org/matrix-js-sdk
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L Found at https://github.com/matrix-org/matrix-js-sdk/commit/a0efed8b881b3db6c9f2c71d6a6e74c2828978c6
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T14:41:11Z/ Found at https://github.com/matrix-org/matrix-js-sdk/commit/a0efed8b881b3db6c9f2c71d6a6e74c2828978c6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L Found at https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T14:41:11Z/ Found at https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-vhr5-g3pm-49fm
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2024-42369
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2024-42369
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.04941
EPSS Score 0.00024
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:32:43.367454+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-vhr5-g3pm-49fm/GHSA-vhr5-g3pm-49fm.json 37.0.0