Automatic room upgrade handling can be used maliciously to bridge a room non-consentually
CVE-2021-32659
What is CVE-2021-32659?
Matrix-appservice-bridge is the bridging service for the Matrix communication program's application services. In versions 2.6.0 and earlier, if a bridge has room upgrade handling turned on in the configuration (the roomUpgradeOpts
key when instantiating a new Bridge
instance.), any m.room.tombstone
event it encounters will be used to unbridge the current room and bridge into the target room. However, the target room m.room.create
event is not checked to verify if the predecessor
field contains the previous room. This means that any malicious admin of a bridged room can repoint the traffic to a different room without the new room being aware. Versions 2.6.1 and greater are patched. As a workaround, disabling the automatic room upgrade handling can be done by removing the roomUpgradeOpts
key from the Bridge
class options.
Affected Version(s)
matrix-appservice-bridge < 2.6.1