Exposure of Private Personal Information to an Unauthorized Actor Affecting matrix-react-sdk package, versions <3.105.1
Threat Intelligence
EPSS
0.05% (20th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-MATRIXREACTSDK-7642787
- published 7 Aug 2024
- disclosed 6 Aug 2024
- credit Unknown
Introduced: 6 Aug 2024
CVE-2024-42347 Open this link in a new tabHow to fix?
Upgrade matrix-react-sdk
to version 3.105.1 or higher.
Overview
matrix-react-sdk is a SDK for matrix.org using React
Affected versions of this package are vulnerable to Exposure of Private Personal Information to an Unauthorized Actor via a malicious homeserver, allowing an attacker to change the user's account data and cause the client to enable URL previews in end-to-end encrypted rooms. Exploiting this vulnerability causes any URLs in encrypted messages to be sent to the server.