matrix-js-sdk will freeze when a user sets a room with itself as a its predecessor
- Severity:
- Medium
Description
A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk’s getRoomUpgradeHistory function will infinitely recurse in this case, causing the code to hang. This method is public but also called by the ‘leaveRoomChain()’ method, so leaving a room will also trigger the bug.
Recommendation
Update the matrix-js-sdk package to the latest compatible version. Followings are version details:
- Affected version(s): < 34.3.1
- Patched version(s): 34.3.1
References
Related Issues
- matrix-js-sdk has insufficient validation when considering a room to be upgraded by another - CVE-2025-59160
- snowflake-sdk may incorrectly validate temporary credential cache file permissions - CVE-2025-24791
- matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal - CVE-2024-50336
- @workos-inc/authkit-remix refresh tokens are logged when the debug flag is enabled - CVE-2024-51753
- Tags:
- npm
- matrix-js-sdk
Anything's wrong? Let us know Last updated on August 20, 2024