NodeJS/matrix-react-sdk/3.71.0-rc.1
SDK for matrix.org using React
https://www.npmjs.com/package/matrix-react-sdk
Apache-2.0
4 Security Vulnerabilities
matrix-react-sdk vulnerable to XSS in Export Chat feature
- https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-c9vx-2g7w-rp65
- https://github.com/matrix-org/matrix-react-sdk/commit/22fcd34c606f32129ebc967fc21f24fb708a98b8
- https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.76.0
- https://github.com/advisories/GHSA-c9vx-2g7w-rp65
- https://nvd.nist.gov/vuln/detail/CVE-2023-37259
Description
The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored XSS.
Impact
Since the Export Chat feature generates a separate document, an attacker can only inject code run from the null
origin, restricting the impact.
However, the attacker can still potentially use the XSS to leak message contents. A malicious homeserver is a potential attacker since the affected inputs are controllable server-side.
Patches
This was patched in matrix-react-sdk 3.76.0.
Workarounds
None, other than not using the Export Chat feature.
References
N/A
Matrix SDK for React's URL preview setting for a room is controllable by the homeserver
Impact
A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server.
Even if the CVSS score would be 4.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N) the maintainer classifies this as High severity issue.
Patches
This was patched in matrix-react-sdk 3.105.1.
Workarounds
Deployments that trust their homeservers, as well as closed federations of trusted servers, are not affected.
References
N/A.
Malicious homeservers can steal message keys when the matrix-react-sdk user invites another user to a room
- https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-qcvh-p9jq-wp8v
- https://github.com/matrix-org/matrix-react-sdk/pull/12618
- https://github.com/matrix-org/matrix-react-sdk/commit/6fc9d7641c51ca3db8225cf58b9d6e6fdd2d6556
- https://nvd.nist.gov/vuln/detail/CVE-2024-47824
- https://github.com/advisories/GHSA-qcvh-p9jq-wp8v
Impact
matrix-react-sdk before 3.102.0 allows a malicious homeserver to potentially steal message keys for a room when a user invites another user to that room, via injection of a malicious device controlled by the homeserver. This is possible because matrix-react-sdk before 3.102.0 shared historical message keys on invite.
Patches
matrix-react-sdk 3.102.0 disables sharing message keys on invite by removing calls to the vulnerable functionality.
Workarounds
None.
References
The vulnerability in matrix-react-sdk is caused by calling MatrixClient.sendSharedHistoryKeys
in matrix-js-sdk, which is inherently vulnerable to this sort of attack. This matrix-js-sdk vulnerability is tracked as CVE-2024-47080 / GHSA-4jf8-g8wp-cx7c. Given that this functionality is not specific to sharing message keys on invite, is optional, has to be explicitly called by the caller and has been independently patched in matrix-react-sdk by removing the offending calls, we believe it is proper to treat the matrix-react-sdk vulnerability as a separate one, with its own advisory and CVE.
The matrix-org/matrix-react-sdk repository has recently been archived and the project was moved to element-hq/matrix-react-sdk. Given that this happened after the first patched release, no releases of the project on element-hq/matrix-react-sdk were ever vulnerable to this vulnerability.
Patching pull request: https://github.com/matrix-org/matrix-react-sdk/pull/12618.
For more information
If you have any questions or comments about this advisory, please email us at security at security at matrix.org.
HTML injection in search results via plaintext message highlighting
- https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-xv83-x443-7rmw
- https://nvd.nist.gov/vuln/detail/CVE-2023-30609
- https://github.com/matrix-org/matrix-react-sdk/commit/bf182bc94556849d7acdfa0e5fdea2aa129ea826
- https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.71.0
- https://github.com/advisories/GHSA-xv83-x443-7rmw
Impact
Plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user into searching for a specific message containing an HTML injection payload.
Cross-site scripting is possible by including resources from recaptcha.net
and gstatic.com
which are included in the default CSP.
Thanks to Cadence Ember for finding the injection and to S1m for finding possible XSS vectors.
Patches
Version 3.71.0 of the SDK fixes the issue.
Workarounds
Restarting the client will clear the injection.
543 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
3.114.0 | AGPL-3.0-only OR GPL-3.0-only | 2024-10-22 - 12:06 | 23 days | |
3.114.0-rc.0 | AGPL-3.0-only OR GPL-3.0-only | 2024-10-15 - 14:42 | 30 days | |
3.113.0 | AGPL-3.0-only OR GPL-3.0-only | 2024-10-15 - 11:03 | 30 days | |
3.112.0 | AGPL-3.0-only OR GPL-3.0-only | 2024-10-08 - 12:30 | about 1 month | |
3.112.0-rc.0 | AGPL-3.0-only OR GPL-3.0-only | 2024-10-01 - 15:07 | about 1 month | |
3.111.0 | AGPL-3.0-only OR GPL-3.0-only | 2024-10-01 - 11:58 | about 1 month | |
3.110.0 | AGPL-3.0-only OR GPL-3.0-only | 2024-09-24 - 12:45 | about 2 months | |
3.110.0-rc.1 | AGPL-3.0-only OR GPL-3.0-only | 2024-09-19 - 11:19 | about 2 months | |
3.109.0 | Apache-2.0 | 2024-09-10 - 12:50 | 2 months | |
3.109.0-rc.0 | Apache-2.0 | 2024-09-03 - 12:42 | 2 months | |
3.108.0 | Apache-2.0 | 2024-08-27 - 12:45 | 3 months | |
3.108.0-rc.0 | Apache-2.0 | 2024-08-21 - 13:10 | 3 months | |
3.107.0 | Apache-2.0 | 2024-08-20 - 11:38 | 3 months | |
3.106.0 | Apache-2.0 | 2024-08-13 - 12:14 | 3 months | |
3.106.0-rc.1 | Apache-2.0 | 2024-08-06 - 12:34 | 3 months | |
3.105.1 | Apache-2.0 | 2024-08-06 - 10:28 | 3 months | |
3.104.0 | Apache-2.0 | 1 | 2024-07-30 - 12:48 | 4 months |
3.104.0-rc.1 | Apache-2.0 | 1 | 2024-07-24 - 11:33 | 4 months |
3.104.0-rc.0 | Apache-2.0 | 1 | 2024-07-23 - 12:08 | 4 months |
3.103.0 | Apache-2.0 | 1 | 2024-07-16 - 12:31 | 4 months |
3.103.0-rc.1 | Apache-2.0 | 1 | 2024-07-09 - 13:20 | 4 months |
3.102.0 | Apache-2.0 | 1 | 2024-07-08 - 12:25 | 4 months |
3.102.0-rc.1 | Apache-2.0 | 2 | 2024-07-04 - 13:00 | 4 months |
3.102.0-rc.0 | Apache-2.0 | 2 | 2024-06-25 - 12:56 | 5 months |
3.101.0 | Apache-2.0 | 2 | 2024-06-18 - 12:16 | 5 months |
3.101.0-rc.1 | Apache-2.0 | 2 | 2024-06-14 - 12:28 | 5 months |
3.101.0-rc.0 | Apache-2.0 | 2 | 2024-06-11 - 12:14 | 5 months |
3.100.0 | Apache-2.0 | 2 | 2024-06-04 - 13:29 | 5 months |
3.100.0-rc.1 | Apache-2.0 | 2 | 2024-05-29 - 13:08 | 6 months |
3.100.0-rc.0 | Apache-2.0 | 2 | 2024-05-15 - 09:13 | 6 months |
3.99.0 | Apache-2.0 | 2 | 2024-05-07 - 12:26 | 6 months |
3.99.0-rc.1 | Apache-2.0 | 2 | 2024-05-02 - 15:10 | 7 months |
3.99.0-rc.0 | Apache-2.0 | 2 | 2024-04-30 - 12:16 | 7 months |
3.98.0 | Apache-2.0 | 2 | 2024-04-23 - 12:58 | 7 months |
3.98.0-rc.0 | Apache-2.0 | 2 | 2024-04-16 - 12:24 | 7 months |
3.97.0 | Apache-2.0 | 2 | 2024-04-09 - 10:14 | 7 months |
3.97.0-rc.0 | Apache-2.0 | 2 | 2024-04-02 - 16:25 | 8 months |
3.96.1 | Apache-2.0 | 2 | 2024-03-28 - 16:55 | 8 months |
3.96.0 | Apache-2.0 | 2 | 2024-03-26 - 16:37 | 8 months |
3.96.0-rc.0 | Apache-2.0 | 2 | 2024-03-19 - 15:19 | 8 months |
3.95.0 | Apache-2.0 | 2 | 2024-03-14 - 17:16 | 8 months |
3.95.0-rc.0 | Apache-2.0 | 2 | 2024-03-14 - 16:42 | 8 months |
3.94.0 | Apache-2.0 | 2 | 2024-03-12 - 18:41 | 8 months |
3.94.0-rc.0 | Apache-2.0 | 2 | 2024-03-05 - 14:11 | 8 months |
3.93.0 | Apache-2.0 | 2 | 2024-02-27 - 13:00 | 9 months |
3.93.0-rc.0 | Apache-2.0 | 2 | 2024-02-21 - 18:21 | 9 months |
3.92.0 | Apache-2.0 | 2 | 2024-02-13 - 15:04 | 9 months |
3.92.0-rc.1 | Apache-2.0 | 2 | 2024-02-06 - 15:46 | 9 months |
3.92.0-rc.0 | Apache-2.0 | 2 | 2024-02-02 - 15:09 | 10 months |
3.91.0 | Apache-2.0 | 2 | 2024-01-31 - 14:54 | 10 months |
3.91.0-rc.1 | Apache-2.0 | 2 | 2024-01-24 - 16:41 | 10 months |
3.91.0-rc.0 | Apache-2.0 | 2 | 2024-01-23 - 18:44 | 10 months |
3.90.0 | Apache-2.0 | 2 | 2024-01-19 - 13:51 | 10 months |
3.89.0 | Apache-2.0 | 2 | 2024-01-16 - 17:42 | 10 months |
3.89.0-rc.0 | Apache-2.0 | 2 | 2024-01-09 - 17:59 | 10 months |
3.88.0 | Apache-2.0 | 2 | 2024-01-04 - 14:34 | 10 months |
3.87.0 | Apache-2.0 | 2 | 2023-12-19 - 15:55 | 11 months |
3.87.0-rc.0 | Apache-2.0 | 2 | 2023-12-12 - 17:03 | 11 months |
3.86.0 | Apache-2.0 | 2 | 2023-12-05 - 14:00 | 11 months |
3.86.0-rc.2 | Apache-2.0 | 2 | 2023-11-28 - 17:11 | 12 months |
3.85.0 | Apache-2.0 | 2 | 2023-11-21 - 11:12 | 12 months |
3.85.0-rc.1 | Apache-2.0 | 2 | 2023-11-14 - 15:58 | almost 1 year |
3.85.0-rc.0 | Apache-2.0 | 2 | 2023-11-14 - 14:42 | almost 1 year |
3.84.1 | Apache-2.0 | 2 | 2023-11-13 - 09:52 | about 1 year |
3.84.0 | Apache-2.0 | 2 | 2023-11-07 - 15:18 | about 1 year |
3.84.0-rc.1 | Apache-2.0 | 2 | 2023-10-31 - 14:50 | about 1 year |
3.83.0 | Apache-2.0 | 2 | 2023-10-24 - 14:38 | about 1 year |
3.83.0-rc.1 | Apache-2.0 | 2 | 2023-10-17 - 14:22 | about 1 year |
3.82.0 | Apache-2.0 | 2 | 2023-10-10 - 08:25 | about 1 year |
3.82.0-rc.1 | Apache-2.0 | 2 | 2023-10-03 - 10:54 | about 1 year |
3.81.1 | Apache-2.0 | 2 | 2023-09-29 - 10:17 | about 1 year |
3.81.0 | Apache-2.0 | 2 | 2023-09-26 - 12:00 | about 1 year |
3.81.0-rc.1 | Apache-2.0 | 2 | 2023-09-19 - 11:44 | about 1 year |
3.80.1 | Apache-2.0 | 2 | 2023-09-13 - 11:03 | about 1 year |
3.80.0 | Apache-2.0 | 2 | 2023-09-12 - 16:01 | about 1 year |
3.80.0-rc.2 | Apache-2.0 | 2 | 2023-09-08 - 11:01 | about 1 year |
3.80.0-rc.1 | Apache-2.0 | 2 | 2023-09-05 - 16:01 | about 1 year |
3.79.0 | Apache-2.0 | 2 | 2023-08-29 - 10:02 | about 1 year |
3.79.0-rc.2 | Apache-2.0 | 2 | 2023-08-23 - 10:48 | about 1 year |
3.78.0 | Apache-2.0 | 2 | 2023-08-15 - 12:27 | about 1 year |
3.78.0-rc.1 | Apache-2.0 | 2 | 2023-08-08 - 14:15 | over 1 year |
3.77.1 | Apache-2.0 | 2 | 2023-08-04 - 08:27 | over 1 year |
3.77.0 | Apache-2.0 | 2 | 2023-08-01 - 11:42 | over 1 year |
3.77.0-rc.1 | Apache-2.0 | 2 | 2023-07-27 - 08:43 | over 1 year |
3.76.0 | Apache-2.0 | 2 | 2023-07-18 - 13:05 | over 1 year |
3.76.0-rc.2 | Apache-2.0 | 3 | 2023-07-14 - 15:29 | over 1 year |
3.76.0-rc.1 | Apache-2.0 | 3 | 2023-07-11 - 14:48 | over 1 year |
3.75.0 | Apache-2.0 | 3 | 2023-07-04 - 14:19 | over 1 year |
3.75.0-rc.1 | Apache-2.0 | 3 | 2023-06-27 - 11:08 | over 1 year |
3.74.0 | Apache-2.0 | 3 | 2023-06-20 - 09:23 | over 1 year |
3.74.0-rc1 | Apache-2.0 | 3 | 2023-06-13 - 11:42 | over 1 year |
3.73.1 | Apache-2.0 | 3 | 2023-06-09 - 08:43 | over 1 year |
3.73.0 | Apache-2.0 | 3 | 2023-06-06 - 13:28 | over 1 year |
3.73.0-rc.3 | Apache-2.0 | 3 | 2023-06-01 - 16:02 | over 1 year |
3.73.0-rc.2 | Apache-2.0 | 3 | 2023-05-19 - 15:59 | over 1 year |
3.73.0-rc.1 | Apache-2.0 | 3 | 2023-05-16 - 13:10 | over 1 year |
3.72.0 | Apache-2.0 | 3 | 2023-05-10 - 11:23 | over 1 year |
3.72.0-rc.2 | Apache-2.0 | 3 | 2023-05-05 - 14:18 | over 1 year |
3.72.0-rc.1 | Apache-2.0 | 3 | 2023-05-02 - 10:41 | over 1 year |
3.71.1 | Apache-2.0 | 3 | 2023-04-25 - 09:58 | over 1 year |