CVE-2024-42347

HIGH

matrix-react-sdk <3.105.0 - Info Disclosure

Title source: llm

Description

matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server. This was patched in matrix-react-sdk 3.105.0. Deployments that trust their homeservers, as well as closed federations of trusted servers, are not affected. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References (2)

[Vendor Advisory] https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-f83w-wqhc-cfp4

[Release Notes] https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.105.1

Scores

CVSS v3 7.7

EPSS 0.0077

EPSS Percentile 73.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-359

Status published

Products (2)

matrix/matrix-react-sdk < 3.105.1

npm/matrix-react-sdk 0 - 3.105.1npm

Published Aug 06, 2024

Tracked Since Feb 18, 2026