Prototype pollution in matrix-js-sdk
CVE-2022-36059

8.2HIGH

Key Information:

Vendor: Matrix-org
Status: Matrix-js-sdk
Vendor: CVE Published:; 28 March 2023

What is CVE-2022-36059?

The matrix-js-sdk, an SDK for the Matrix messaging protocol in JavaScript, has a vulnerability in its event processing mechanism. In versions before 19.4.0, the SDK can malfunction if specific strings are included in key locations, resulting in potential disruptions to data handling. While the SDK might appear operational, it may inadvertently exclude or corrupt critical runtime data presented to users. To safeguard data integrity, it is crucial for users to upgrade to version 19.4.0 or later. For those unable to upgrade, mitigating actions such as redacting certain events or restarting the client may alleviate some issues, but in certain situations, workarounds may be limited.

Affected Version(s)

matrix-js-sdk < 19.4.0

References

https://github.com/matrix-org/matrix-js-sdk/security/advi...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 28, 2023
Vulnerability Reserved
Jul 15, 2022

Matrix-org

What is CVE-2022-36059?

Affected Version(s)

References

CVSS V3.1

Timeline