CVE-2022-36059 - How Malicious Events Can Break Your Matrix Client with matrix-js-sdk

The online chat world is powered by various protocols, and the Matrix protocol is one of the most popular for secure, decentralized messaging. If you use JavaScript with Matrix, chances are you depend on matrix-js-sdk. But did you know that until September 2022, a bug lurked in this popular SDK, putting your data and apps at risk even when everything *looked* fine?

In this exclusive long read, we’ll break down CVE-2022-36059 in plain American English, explore how it works, and show you ways to protect yourself with practical code samples.

What IS CVE-2022-36059?

matrix-js-sdk is an open-source library for interacting with Matrix homeservers in JavaScript apps. It’s used in everything from chatbots to full-featured messengers. CVE-2022-36059 refers to a critical bug present in all versions before 19.4..

What’s the Issue?

If someone sends a specially crafted event – that is, a Matrix message with odd or maliciously constructed strings in certain fields – your Matrix client might:

Continue running as if nothing’s wrong, so you might not notice anything!

This may mean that you and your users won’t see all messages, some rooms might break, or data could become inconsistent and unreliable.

Exploit Details: How Attackers Can Mess Up Your Matrix Client

Imagine that your Matrix client is happily syncing messages. Now, a bad actor creates and sends an event with an edge-case string in a critical field, like "content", "type", or "state_key". When the SDK receives this, it could become confused and skip events after it, or store broken data.

*Here’s a very simple example of what such a malicious event might look like:*

{
  "type": "m.room.message",
  "sender": "@evil:matrix.org",
  "content": {
    "msgtype": "m.text",
    // Specially crafted string that triggers parser failure
    "body": "\udc00\udc00\udc00"
  },
  "event_id": "$hacker_event:matrix.org"
}

The above "body" uses unpaired surrogate code units, which can break naive string handling in JavaScript.

Not crash your client: making you *think* all is well, but users can’t see the real data

- Potentially cause data processing errors downstream, especially if you sync data to logs or databases

Real-World Impact

This CVE is tricky because your Matrix client won’t throw errors or become unresponsive right away. Instead, you might simply not receive messages after the malicious event, or certain data will become corrupted or lost as if it vanished into thin air!

For people building bots, bridges, chat clients, or dashboards, this is a hidden DANGER.

`

- Or in your code/package.json.

How Was It Fixed?

The fix, released in 19.4., adds proper sanitization and event parsing that gracefully ignores or handles harmful strings, rather than corrupting state or silently dropping data.

Redact Harmful Events

- If you know which event broke your client, "redact" (moderate/delete) that event from the room using moderation tools or API.

Wait For Sync and Restart

- Allow the SDK to finish processing what it can, *then* restart your client/application to reload state.

Clear Storage

- If problems persist, completely clear local storage (IndexedDB, localStorage, or whatever backend you use).

`js

// Example: manual clearing IndexedDB

In Some Cases, There’s No Workaround

- If an event deeply corrupted the state, you may need to rely on the developers updating and redeploying the client with a fixed SDK.

Just update your matrix-js-sdk dependency

npm install matrix-js-sdk@latest

Or target 19.4. or higher in your package.json

"dependencies": {
    "matrix-js-sdk": "^19.4."
}

Further Reading and References

- Official Security Advisory (GitHub)
- matrix-js-sdk Changelog
- CVE-2022-36059 on NIST
- How to Redact Events (Matrix Spec)

In Short

If you build or deploy Matrix JS clients – bots, dashboards, or chat systems – prioritize upgrading to matrix-js-sdk 19.4. or later. While there are a few stop-gap workarounds, they’re not bulletproof, and you may not immediately see the damage from this vulnerability until it’s too late.

Stay safe, keep your deps up to date, and be wary of seemingly innocent events!

*This post is exclusive and based on the latest information available as of June 2024.*

Timeline

Published on: 03/28/2023 21:15:00 UTC
Last modified on: 04/05/2023 01:17:00 UTC