Prototype pollution in matrix-js-sdk
CVE-2023-28427

8.2HIGH

Key Information:

Vendor: Matrix-org
Status: Matrix-js-sdk
Vendor: CVE Published:; 28 March 2023

What is CVE-2023-28427?

The matrix-js-sdk, a Client-Server SDK for the Matrix messaging protocol, exhibits a vulnerability that allows events containing special strings to interfere with its normal operation. This disruption can manifest as the exclusion or corruption of runtime data that is critical for users, even though the SDK may appear to function normally. As the problem can significantly impact the safe processing of data, users are strongly advised to upgrade to matrix-js-sdk version 24.0.0 or later, as there are currently no viable workarounds available for this issue. Further details on the vulnerability can be found in the relevant security advisories.

Affected Version(s)

matrix-js-sdk < 24.0.0

References

https://github.com/matrix-org/matrix-js-sdk/security/advi...

x_refsource_CONFIRM

https://matrix.org/blog/2023/03/28/security-releases-matr...

x_refsource_MISC

https://www.debian.org/security/2023/dsa-5392

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 28, 2023
Vulnerability Reserved
Mar 15, 2023

Matrix-org

What is CVE-2023-28427?

Affected Version(s)

References

CVSS V3.1

Timeline