CVE-2024-50336

matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal

Description

matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. matrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver. Fixed in matrix-js-sdk 34.11.1.

INFO

Published Date :

2024-11-12T16:38:53.164Z

Last Modified :

2025-11-03T22:28:21.121Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2024-50336 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-50336.

URL	Resource
https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-xvg8-m4x3-w6xr
https://lists.debian.org/debian-lts-announce/2025/01/msg00004.html
https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability