Client-Side Path Traversal Vulnerability in Matrix JS SDK by Matrix
CVE-2024-50336

Currently unrated

Key Information:

Vendor: Matrix
Status: matrix-js-sdk
Vendor: CVE Published:; 12 November 2024

What is CVE-2024-50336?

The Matrix JavaScript SDK (matrix-js-sdk) versions prior to 34.11.0 contain a client-side path traversal vulnerability. It allows a malicious user in a chat room to craft MXC URIs that could make clients based on this SDK issue arbitrary authenticated GET requests to the user's homeserver. This could result in unauthorized exposure of sensitive data or manipulation of the server's state. The vulnerability is rectified in version 34.11.1 of the matrix-js-sdk.

References

https://github.com/matrix-org/matrix-js-sdk/security/advi...

https://spec.matrix.org/v1.12/client-server-api/#security...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 12, 2024