Prototype Pollution in Matrix-org Matrix-js-sdk
CVE-2023-28427
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potent…
Vulnerability class: Prototype Pollution
EPSS: 0.006 (69.9th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.2 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H.
Affected products
- Matrix-org Matrix-js-sdk — versions < 24.0.0
Weakness classification (CWE)
References
- https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mwq8-fjpf-c2gr (x_refsource_CONFIRM)
- https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0 (x_refsource_MISC)
- www.debian.org/security/2023/dsa-5392
- lists.debian.org/debian-lts-announce/2023/04/msg00027.html
- security.gentoo.org/glsa/202305-36
Frequently asked questions
- What is CVE-2023-28427?
- CVE-2023-28427 is a high-severity vulnerability in Matrix-org Matrix-js-sdk, classified under Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution). CVSS score: 8.2/10. Published 2023-03-28.
- How severe is CVE-2023-28427?
- High severity. CVSS v3 base score is 8.2 out of 10.