CVE-2022-36060 — Prototype Pollution in Matrix-react-sdk

CWE-1321 — Prototype Pollution7 documents5 sources

Severity

5.3MEDIUMNVD

CNA8.2

EPSS

0.4%

top 37.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Matrix-org Matrix-react-sdk Matrix React SDK Matrix-react-sdk Project Matrix-react-sdk

Timeline

PublishedMar 28

Latest updateMar 29

Description

matrix-react-sdk is a Matrix chat protocol SDK for React Javascript. Events sent with special strings in key places can temporarily disrupt or impede the matrix-react-sdk from functioning properly, such as by causing room or event tile crashes. The remainder of the application can appear functional, though certain rooms/events will not be rendered. This issue has been fixed in matrix-react-sdk 3.53.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶NVDmatrix/react_sdk< 3.53.0

▶CVEListV5matrix-org/matrix-react-sdk< 3.53.0

▶npmmatrix-react-sdk_project/matrix-react-sdk< 3.69.0+1

🔴Vulnerability Details

OSV

Prototype pollution in matrix-react-sdk↗2023-03-29

▶

GHSA

Prototype pollution in matrix-react-sdk↗2023-03-29

▶

OSV

matrix-react-sdk Prototype pollution vulnerability↗2023-03-28

▶

GHSA

matrix-react-sdk Prototype pollution vulnerability↗2023-03-28

▶

CVEList

Prototype pollution in matrix-react-sdk↗2023-03-28

▶

💬Community

Bugzilla

Update matrix-js-sdk to v19.4.0↗2022-08-29

▶