CVE-2024-47080

Name of the Vulnerable Software and Affected Versions: matrix-js-sdk versions 9.11.0 through 34.7.0

Description: The issue is related to the MatrixClient.sendSharedHistoryKeys method in the matrix-js-sdk, which is vulnerable to interception by malicious homeservers. This method is used to share historical message keys with newly invited users, granting them access to past messages in the room. However, it unconditionally sends these "shared" keys to all of the invited user's devices, regardless of whether the user's cryptographic identity is verified or whether the user's devices are signed by that identity. This allows an attacker to potentially inject its own devices to receive sensitive historical keys without proper security checks. The vulnerability only affects clients running the SDK with the legacy crypto stack.

Recommendations: For matrix-js-sdk versions 9.11.0 through 34.7.0, update to version 34.8.0, which removes the vulnerable functionality. As a temporary workaround, consider removing the use of the affected MatrixClient.sendSharedHistoryKeys method from clients. Restrict access to the MatrixClient.sendSharedHistoryKeys method to minimize the risk of exploitation, especially in environments where the legacy crypto stack is used.