Vulnerability in Matrix-org Matrix-js-sdk

CVE-2025-59160

Matrix JavaScript SDK is a Matrix Client-Server SDK for JavaScript and TypeScript. matrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in MatrixClient::getJoinedRooms, allowing a remote attacker to attempt to…

EPSS: 0.001 (28.6th percentile) — read the EPSS interpretation.

Affected products

Matrix-org Matrix-js-sdk — versions < 38.2.0

Weakness classification (CWE)

CWE-345 — Insufficient Verification of Data Authenticity

References

https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-mp7c-m3rh-r56v (x_refsource_CONFIRM)
https://github.com/matrix-org/matrix-js-sdk/commit/43c72d5bf5e2d0a26b3b4f71092e7cb39d4137c4 (x_refsource_MISC)