Turt2Live

**Name of the Vulnerable Software and Affected Versions** Mjolnir version 1.9.0 **Description** Mjolnir is a moderation tool for Matrix. It responds to management commands from any room the bot is a member of, potentially allowing users who are not operators to use the bot's functions, including server administration components if enabled. **Recommendations** For Mjolnir version 1.9.0, upgrade to version 1.9.1 or higher. If upgrading to 1.9.1 or higher is not possible, downgrade to version 1.8.3.

Name of the Vulnerable Software and Affected Versions: Matrix Media Repo versions prior to 1.3.5 Description: The issue allows an unauthenticated adversary to induce the system to download and cache large amounts of remote media files, resulting in unbounded disk consumption. This can lead to a denial of service when the disk is full, as authenticated users will be unable to upload new media. For instances using cloud-based S3 storage, this could result in high service fees instead of a denial of service. The typical operating environment of Matrix Media Repo uses S3-like storage as a backend, with file-backed store as an alternative option, making instances using a file-backed store or those self-hosting an S3 storage system vulnerable to a disk fill attack. Recommendations: For versions prior to 1.3.5, update to version 1.3.5 or later to introduce a new default-on "leaky bucket" rate limit, which reduces the amount of data a user can request at a time. Operators should note that the leaky bucket implementation requires the IP address associated with the request to be forwarded, to avoid mistakenly applying the rate limit to the reverse proxy instead. To avoid this issue, the reverse proxy should populate the `X-Forwarded-For` header when sending the request to Matrix Media Repo. As a temporary workaround, consider lowering the maximum file size allowed and implement harsh rate limits, though this can still lead to a large amount of data to be downloaded.

**Name of the Vulnerable Software and Affected Versions** Matrix Media Repo (MMR) versions prior to 1.3.8 **Description** The issue arises when Matrix Media Repo (MMR) makes requests to other servers as part of its normal operation, and these servers return large amounts of JSON for parsing. During parsing, MMR can consume large amounts of memory, leading to memory exhaustion. **Recommendations** For versions prior to 1.3.8, upgrade to version 1.3.8 to resolve the issue. As a temporary workaround for users unable to upgrade, consider configuring forward proxies to block requests to unsafe hosts. Alternatively, configure MMR processes with memory limits and auto-restart to mitigate the risk. Running multiple MMR processes concurrently can help ensure a restart does not overly impact users.

**Name of the Vulnerable Software and Affected Versions** Matrix Media Repo versions prior to 1.3.8 **Description** The issue arises when SVG or JPEGXL thumbnailers are enabled, allowing a user to upload a file that claims to be one of these types and request a thumbnail, potentially invoking a different decoder in ImageMagick. This may include the capability to run Ghostscript to decode the image/file in some ImageMagick installations. Similarly, if MP4 thumbnailers are enabled, the same issue may occur with the ffmpeg installation. Matrix Media Repo uses various decoders for other file types when preparing thumbnails, and while theoretical issues are possible with these decoders, they were not found to be exploitable in testing. **Recommendations** For versions prior to 1.3.8, disable the SVG, JPEGXL, and MP4 thumbnail types in the Matrix Media Repo config to prevent the decoders from being invoked. Further disable uncommon file types on the server to limit the risk surface. Consider using containers or similar technologies to limit the impact of vulnerabilities in external decoders like ImageMagick and ffmpeg. If possible, replicate the option to disable "unsafe" file types, like PDFs, in other environments as needed. Note that the Docker image for Matrix Media Repo disables PDFs and similar formats by default.

**Name of the Vulnerable Software and Affected Versions** Matrix Javascript SDK versions 17.1.0-rc.1 through 19.6.x **Description** The issue arises from improperly formed beacon events, which can disrupt the matrix-js-sdk's functionality, potentially impacting the consumer's ability to process data safely. The matrix-js-sdk may appear to operate normally but could be excluding or corrupting runtime data presented to the consumer. **Recommendations** For versions 17.1.0-rc.1 through 19.6.x, update to version 19.7.0 to resolve the issue. As a temporary workaround, consider redacting applicable events, waiting for the sync processor to store data, and restarting the client. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue.

Name of the Vulnerable Software and Affected Versions: matrix-media-repo versions 1.2.6 and earlier Description: The issue arises from improper handling of malicious images that are small in file size but large in complexity. A malicious user can upload a small image using specific formats that expands to extremely large dimensions during thumbnailing, causing the server to exhaust its memory and leading to denial of service. Recommendations: For versions 1.2.6 and earlier, update to version 1.2.7 to resolve the issue.