Javascript Sdk
CVE-2024-42369
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
1Blast Radius
ecosystem impact- 1 npm packages depend on matrix-js-sdk (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 34.3.1.
DescriptionNVD
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's getRoomUpgradeHistory function will infinitely recurse in this case, causing the code to hang. This method is public but also called by the 'leaveRoomChain()' method, so leaving a room will also trigger the bug. This was patched in matrix-js-sdk 34.3.1.
AnalysisAI
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-674. matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's getRoomUpgradeHistory function will infinitely recurse in this case, causing the code to hang. This method is public but also called by the 'leaveRoomChain()' method, so leaving a room will also trigger the bug. This was patched in matrix-js-sdk 34.3.1. Affected products include: Matrix Javascript Sdk.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Javascript Sdk
View allThe olm_session_describe function in Matrix libolm before 3.2.7 is vulnerable to a buffer overflow. Rated critical sever
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. Rated high severity (CVSS 8.2), this vuln
Matrix JavaScript SDK is the Matrix Client-Server software development kit (SDK) for JavaScript. Rated high severity (CV
Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Rated high severity (CVSS 7.5), this vulnerability
Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Rated high severity (CVSS 7.5), this vulnerability
A logic error in the room key sharing functionality of matrix-js-sdk (aka Matrix Javascript SDK) before 12.4.1 allows a
matrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. Rated medium severity (CVSS 5.3), this vuln
Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Rated medium severity (CVSS 5.3), this vulnerabili
Same weakness CWE-674 – Uncontrolled Recursion
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today