Description
matrix-react-sdk is react-based software development kit for inserting a Matrix chat/VOIP client into a web page. Starting in version 3.18.0 and before 3.102.0, matrix-react-sdk allows a malicious homeserver to potentially steal message keys for a room when a user invites another user to that room, via injection of a malicious device controlled by the homeserver. This is possible because matrix-react-sdk before 3.102.0 shared historical message keys on invite. Version 3.102.0 fixes this issue by disabling sharing message keys on invite by removing calls to the vulnerable functionality. No known workarounds are available.
References (3)
Core 3
Core References
Issue Tracking x_refsource_misc
https://github.com/matrix-org/matrix-react-sdk/pull/12618
Vendor Advisory x_refsource_confirm
https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-qcvh-p9jq-wp8v
Scores
CVSS v4
8.7
EPSS
0.0053
EPSS Percentile
67.2%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (2)
matrix-org/matrix-react-sdk
>= 3.18.0, < 3.102.0
npm/matrix-react-sdk
3.18.0 - 3.102.0npm
Published
Oct 15, 2024
Tracked Since
Feb 18, 2026