Headline
GHSA-6g43-88cp-w5gv: Prototype pollution in matrix-react-sdk
Impact
In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the Object.prototype, disrupting matrix-react-sdk functionality, causing denial of service and potentially affecting program logic.
(This is part 2, where CVE-2022-36060 / GHSA-2x9c-qwgf-94xr is part 1. Part 2 covers remaining vectors not covered by part 1, found in a codebase audit scheduled after part 1.)
Patches
This is fixed in matrix-react-sdk 3.69.0
Workarounds
None.
References
- Release blog post
- The advisory GHSA-2x9c-qwgf-94xr (CVE-2022-36060) refers to an initial set of vulnerable locations discovered and patched in matrix-react-sdk 3.53.0. We opted not to disclose that advisory while we performed an audit of the codebase and are now disclosing it jointly with this one.
For more information
If you have any questions or comments about this advisory please email us at security at matrix.org.
Package
npm matrix-react-sdk (npm)
Affected versions
< 3.69.0
Patched versions
3.69.0
Description
Impact
In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the Object.prototype, disrupting matrix-react-sdk functionality, causing denial of service and potentially affecting program logic.
(This is part 2, where CVE-2022-36060 / GHSA-2x9c-qwgf-94xr is part 1. Part 2 covers remaining vectors not covered by part 1, found in a codebase audit scheduled after part 1.)
Patches
This is fixed in matrix-react-sdk 3.69.0
Workarounds
None.
References
- Release blog post
- The advisory GHSA-2x9c-qwgf-94xr (CVE-2022-36060) refers to an initial set of vulnerable locations discovered and patched in matrix-react-sdk 3.53.0. We opted not to disclose that advisory while we performed an audit of the codebase and are now disclosing it jointly with this one.
For more information
If you have any questions or comments about this advisory please email us at security at matrix.org.
References
- GHSA-2x9c-qwgf-94xr
- GHSA-6g43-88cp-w5gv
- https://nvd.nist.gov/vuln/detail/CVE-2023-28103
- https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0
dkasak published to matrix-org/matrix-react-sdk
Mar 28, 2023
Published by the National Vulnerability Database
Mar 28, 2023
Published to the GitHub Advisory Database
Mar 29, 2023
Reviewed
Mar 29, 2023
Last updated
Mar 29, 2023
Related news
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.