Auth bypass in Matrix-org Matrix-js-sdk

CVE-2024-47080

matrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. In matrix-js-sdk versions versions 9.11.0 through 34.7.0, the method `MatrixClient.sendSharedHistoryKeys` is vulnerable to interception by malicious homeservers…

Vulnerability class: Information Disclosure

EPSS: 0.006 (69.3th percentile) — read the EPSS interpretation.

Affected products

Matrix-org Matrix-js-sdk — versions >= 9.11.0, < 34.8.0

Weakness classification (CWE)

References

https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-4jf8-g8wp-cx7c (x_refsource_CONFIRM)
https://github.com/matrix-org/matrix-spec-proposals/pull/3061 (x_refsource_MISC)
https://github.com/matrix-org/matrix-js-sdk/commit/2fb1e659c81f75253c047832dc9dcc2beddfac5f (x_refsource_MISC)