CVE-2023-28427
Prototype pollution in matrix-js-sdk
In short
A flaw in matrix-js-sdk allows attackers to send specially crafted messages that corrupt or hide data in the application, even though it appears to be working normally. This can cause the app to silently process incorrect information, compromising data integrity.
Technical detail
Prototype pollution vulnerability in matrix-js-sdk versions before 24.0.0 allows remote attackers to inject malicious property names in Matrix protocol events, corrupting runtime object prototypes and causing data exclusion or modification. The attack requires sending crafted messages through the Matrix protocol; impact includes silent data corruption while the SDK appears functional.
Summary generated and translated by AI from the official description.
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This vulnerability is distinct from GHSA-rfv9-x7hh-xc32 which covers a similar issue. The issue has been patched in matrix-js-sdk 24.0.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Affected products
matrix-org · matrix-js-sdkWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2grhttps://lists.debian.org/debian-lts-announce/2023/04/msg00027.htmlhttps://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0https://security.gentoo.org/glsa/202305-36https://www.debian.org/security/2023/dsa-5392