Authentication Bypass Affecting matrix-js-sdk package, versions <19.7.0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-MATRIXJSSDK-3035652
- published 29 Sep 2022
- disclosed 29 Sep 2022
- credit Unknown
Introduced: 29 Sep 2022
CVE-2022-39251 Open this link in a new tabHow to fix?
Upgrade matrix-js-sdk to version 19.7.0 or higher.
Overview
matrix-js-sdk is a Matrix Client-Server SDK for Javascript
Affected versions of this package are vulnerable to Authentication Bypass. An attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver.