Description
matrix-react-sdk is an npm package which is a Matrix SDK for React Javascript. In matrix-react-sdk before version 3.15.0, the user content sandbox can be abused to trick users into opening unexpected documents. The content is opened with a `blob` origin that cannot access Matrix user data, so messages and secrets are not at risk. This has been fixed in version 3.15.0.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-52mq-6jcv-j79x
Patch, Third Party Advisory x_refsource_misc
https://github.com/matrix-org/matrix-react-sdk/pull/5657
Patch, Third Party Advisory x_refsource_misc
https://github.com/matrix-org/matrix-react-sdk/commit/b386f0c73b95ecbb6ea7f8f79c6ff5171a8dedd1
Product, Third Party Advisory x_refsource_misc
https://www.npmjs.com/package/matrix-react-sdk
Scores
CVSS v3
2.6
EPSS
0.0018
EPSS Percentile
39.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
Details
CWE
CWE-345
Status
published
Products (2)
matrix-react-sdk_project/matrix-react-sdk
< 3.15.0
npm/matrix-react-sdk
0 - 3.15.0npm
Published
Mar 02, 2021
Tracked Since
Feb 18, 2026