matrix-js-sdk has insufficient validation when considering a room to be upgraded by another
- Severity:
- Medium
Description
matrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in MatrixClient::getJoinedRooms, allowing a remote attacker to attempt to replace a tombstoned room with an unrelated attacker-supplied room.
Recommendation
Update the matrix-js-sdk package to the latest compatible version. Followings are version details:
- Affected version(s): < 38.2.0
- Patched version(s): 38.2.0
References
- GHSA-mp7c-m3rh-r56v
- www.npmjs.com
- CVE-2025-59160
- CWE-20
- CWE-345
- CWE-862
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A3
- OWASP 2021-A6
- OWASP 2021-A8
Related Issues
- @dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message - CVE-2025-64758
- matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal - CVE-2024-50336
- `sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js` - CVE-2025-62381
- Modified package published to npm, containing malware that exfiltrates private key material - CVE-2024-54134
- Tags:
- npm
- matrix-js-sdk
Anything's wrong? Let us know Last updated on September 22, 2025