Denis Kasak

**Name of the Vulnerable Software and Affected Versions** matrix-js-sdk versions prior to 24.0.0 **Description** The issue is related to events sent with special strings in key places, which can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. The matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is a distinct issue from others that may cover similar problems. **Recommendations** For versions prior to 24.0.0, upgrade to version 24.0.0 or later to resolve the issue. There are no known workarounds for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** matrix-react-sdk versions prior to 3.69.0 **Description** The issue arises when data sent by remote servers contains special strings in key locations, potentially modifying the `Object.prototype` and disrupting the functionality of matrix-react-sdk, leading to denial of service and affecting program logic. **Recommendations** For versions prior to 3.69.0, upgrade to version 3.69.0 to resolve the issue. As a temporary workaround, consider restricting the handling of data from remote servers to prevent modifications of the `Object.prototype` until a patch is available.

**Name of the Vulnerable Software and Affected Versions** matrix-js-sdk versions prior to 12.4.1 Element Web versions 1.8.2 and earlier Element Desktop versions 1.8.2 and earlier SchildiChat Web versions 1.7.32-sc1 and earlier SchildiChat Desktop versions 1.7.32-sc1 and earlier Cinny versions 1.2.0 and earlier **Description** A logic error in the room key sharing functionality allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys that were originally sent by affected Matrix clients participating in that room. This enables the homeserver to decrypt end-to-end encrypted messages sent by affected clients. The issue affects clients using vulnerable versions of matrix-js-sdk. **Recommendations** For matrix-js-sdk versions prior to 12.4.1, update to version 12.4.1 or later to resolve the issue. For Element Web versions 1.8.2 and earlier, update to a version later than 1.8.2. For Element Desktop versions 1.8.2 and earlier, update to a version later than 1.8.2. For SchildiChat Web versions 1.7.32-sc1 and earlier, update to a version later than 1.7.32-sc1. For SchildiChat Desktop versions 1.7.32-sc1 and earlier, update to a version later than 1.7.32-sc1. For Cinny versions 1.2.0 and earlier, update to a version later than 1.2.0. As a temporary workaround, consider taking vulnerable clients offline or signing them out to prevent a homeserver from stealing room keys. When signing out, set up Secure Backup or export E2E room keys to preserve access to past messages.

**Name of the Vulnerable Software and Affected Versions** Element Android versions prior to 1.2.2 matrix-android-sdk2 (aka Matrix SDK for Android) versions prior to 1.2.2 **Description** A logic error in the room key sharing functionality allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys that were originally sent by affected Matrix clients participating in that room. This enables the attacker to decrypt end-to-end encrypted messages sent by affected clients. The issue leads to inadequate identity verification, allowing a key-requesting device to be impersonated. **Recommendations** For Element Android versions prior to 1.2.2, update to version 1.2.2 or later to resolve the issue. For matrix-android-sdk2 (aka Matrix SDK for Android) versions prior to 1.2.2, update to version 1.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the room key sharing functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Matrix libolm versions prior to 3.2.3 **Description** The issue is related to a stack-based buffer overflow in the `olm pk decrypt` function, which can be triggered by a malicious Matrix homeserver. This could potentially allow remote code execution in nonstandard build configurations. The vulnerability is also described as a buffer overflow issue in the Double Ratchet Libolm implementation, which could enable a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. **Recommendations** For Matrix libolm versions prior to 3.2.3, update to version 3.2.3 or later to resolve the issue. As a temporary workaround, consider restricting interactions with potentially malicious Matrix homeservers to minimize the risk of exploitation.