PT-2024-34149 · Unknown+5 · Matrix-Js-Sdk+5

Published

2024-11-12

·

Updated

2026-02-02

·

CVE-2024-50336

CVSS v4.0

5.3

Medium

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions: matrix-js-sdk versions prior to 34.11.0
Description: The issue concerns a client-side path traversal vulnerability via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver. The Matrix specification demands homeservers to perform validation of the server-name and media-id components of MXC URIs, but it is not mentioned that a similar check must also be performed on the client to prevent client-side path traversal. The matrix-js-sdk fails to perform this validation.
Recommendations: For matrix-js-sdk versions prior to 34.11.0, update to version 34.11.1 to resolve the issue. As a temporary workaround, consider restricting access to crafted MXC URIs to minimize the risk of exploitation. Avoid using the server-name and media-id components of MXC URIs in the affected API endpoints until the issue is resolved.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

ALT-PU-2025-1972
ALT-PU-2025-2027
CVE-2024-50336
DLA-4012-1
DSA-5841-1
GHSA-XVG8-M4X3-W6XR
MGASA-2024-0395
OESA-2025-1835
OPENSUSE-SU-2024:14584-1
OPENSUSE-SU-2024_4326-1
SUSE-SU-2024:4326-1
USN-7991-1

Affected Products

Alt Linux
Debian
Linuxmint
Suse
Ubuntu
Matrix-Js-Sdk