CVE-2024-50336Path Traversal in Matrix-js-sdk

CWE-22Path Traversal9 documents7 sources
Severity
5.3MEDIUMNVD
EPSS
0.9%
top 24.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Matrix-org Matrix-js-sdkMozilla Thunderbird
Timeline
PublishedNov 12
Latest updateFeb 2

Description

matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. matrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver. Fixed in matrix-js-sdk 34.11.1.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Affected Packages3 packages

CVEListV5matrix-org/matrix-js-sdk< 34.11.1
Debianmozilla/thunderbird< 1:128.6.0esr-1~deb11u1+3

🔴Vulnerability Details

4
OSV
CVE-2024-50336: matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript2024-11-12
GHSA
matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal2024-11-12
OSV
matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal2024-11-12
CVEList
matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal2024-11-12

📋Vendor Advisories

4
Ubuntu
Thunderbird vulnerabilities2026-02-02
Debian
CVE-2024-50336: node-matrix-js-sdk - matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. m...2024
Mozilla
Mozilla Foundation Security Advisory 2024-69: CVE-2024-50336
Mozilla
Mozilla Foundation Security Advisory 2025-04: CVE-2024-50336
CVE-2024-50336 — Path Traversal in Matrix-js-sdk | cvebase