CVE-2024-47824

Name of the Vulnerable Software and Affected Versions: matrix-react-sdk versions 3.18.0 through 3.101.9

Description: The issue is related to insufficient protection of service data, allowing a malicious homeserver to potentially steal message keys for a room when a user invites another user to that room. This is possible because matrix-react-sdk before version 3.102.0 shared historical message keys on invite.

Recommendations: For versions 3.18.0 through 3.101.9, update to version 3.102.0 to prevent the potential theft of message keys by a malicious homeserver during room invites. As a temporary workaround, consider disabling the sharing of message keys on invite until a patch is available. Restrict access to the vulnerable functionality to minimize the risk of exploitation. Avoid using the vulnerable version of matrix-react-sdk until the issue is resolved.