Matrix-js-sdk is a popular JavaScript Software Development Kit (SDK) that supports the Matrix messaging protocol for client-server communications. Recently, a vulnerability was discovered in matrix-js-sdk that could potentially disrupt its functionality and affect the data processing capabilities of its users. The vulnerability was designated CVE-2022-36059.

Details of CVE-2022-36059

In matrix-js-sdk versions prior to 19.4., events sent with specific strings in critical locations can cause temporary disruptions or interference in the normal functioning of the SDK. This can result in the user's inability to process data safely. The matrix-js-sdk may still appear to function normally even while it is excluding or corrupting runtime data presented to the user.

A vulnerable code snippet illustrating this issue

// matrix-js-sdk version: <= 19.3.
const MatrixClient = require('matrix-js-sdk').Matrix.createClient;

const matrixClient = new MatrixClient({
    baseUrl: 'https://matrix.example.com';,
    accessToken: 'ACCESS_TOKEN_HERE',
    userId: '@example:matrix.org',
});

matrixClient.startClient({
    initialSyncLimit: 10,
});

matrixClient.on('sync', function (state, prevState, res) {
    console.log('Data Processing: ', state, prevState, res);
    // ... more code here ...
});

Original references and resources

1. matrix-js-sdk GitHub Repository
2. matrix-js-sdk Security Advisory - CVE-2022-36059

Exploit details

An attacker could craft a malicious event with special strings designed to trigger the vulnerability in the affected versions of matrix-js-sdk. Once the event is processed, the impact on the matrix-js-sdk could cause runtime data to be excluded or corrupted, potentially compromising the client's safe data processing.

Mitigations and recommendations

The issue has been resolved in matrix-js-sdk version 19.4., and users are advised to upgrade to the latest version of the SDK.

Restart the client application

If the issue persists following these steps, the user can clear all storage to attempt a fix. In some cases, no workarounds may be possible.

Conclusion

CVE-2022-36059 is a serious vulnerability in matrix-js-sdk that could affect its safe data processing capabilities. It is vital for users to upgrade to version 19.4. or above, implement the suggested mitigations, and stay up-to-date on any new developments.

Timeline

Published on: 03/28/2023 21:15:00 UTC
Last modified on: 04/05/2023 01:17:00 UTC