Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-xvg8-m4x3-w6xr

GitHub Security Advisory

matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Summary

matrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver.

### Details

The Matrix specification demands homeservers to [perform validation](https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5) of the `server-name` and `media-id` components of MXC URIs with the intent to prevent path traversal. However, it is not mentioned that a similar check must also be performed on the client to prevent *client-side* path traversal. matrix-js-sdk fails to perform this validation.

### Patches

Fixed in matrix-js-sdk 34.11.1.

### Workarounds

None.

### References

- https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5
- https://blog.doyensec.com/2024/07/02/cspt2csrf.html

Affected Packages

npm matrix-js-sdk
Affected versions: 0 (fixed in 34.11.1)

Related CVEs

CVE-2024-50336

Key Information

GHSA ID
GHSA-xvg8-m4x3-w6xr
Published
November 12, 2024 7:54 PM
Last Modified
November 12, 2024 7:54 PM
CVSS Score
5.0 /10
Primary Ecosystem
npm
Primary Package
matrix-js-sdk
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 16, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.