A malicious Matrix server can use a foreign user's MXID in an OpenID exchange, allowing a bad actor to impersonate users when using the provisioning API.

### Details

The library does not check that the servername part of the `sub` parameter (containing the user's *claimed* MXID) is the same as the servername we are talking to. A malicious actor could spin up a server on any given domain, respond with a `sub` parameter according to the user they want to act as and use the resulting token to perform provisioning requests.

### Workarounds

Disable the provisioning API. If the bridge does not use the provisioning API, you are not vulnerable.

Affected Packages

npm matrix-appservice-bridge

Affected versions: 4.0.0 (fixed in 8.1.2)

npm matrix-appservice-bridge

Affected versions: 9.0.0 (fixed in 9.0.1)

Related CVEs

CVE-2023-38691

Key Information

GHSA ID

GHSA-vc7j-h8xg-fv5x

Published

August 4, 2023 5:26 PM

Last Modified

August 4, 2023 5:26 PM

CVSS Score

5.0 /10

Primary Ecosystem

npm

Primary Package

matrix-appservice-bridge

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 15, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.