CVE-2024-50336

N/A Unknown

Published: November 12, 2024 Modified: November 03, 2025

Description

matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. matrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver. Fixed in matrix-js-sdk 34.11.1.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-xvg8-m4x3-w6xr

Source: security-advisories@github.com

https://spec.matrix.org/v1.12/client-server-api/#security-considerations-5

Source: security-advisories@github.com

https://lists.debian.org/debian-lts-announce/2025/01/msg00004.html

Source: af854a3a-2127-422b-91ae-364da2661108

3 reference(s) from NVD

Quick Stats

CVSS v3 Score

N/A / 10.0

EPSS (Exploit Probability)

0.6%

70th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-22

Related CVEs

CVE-2026-21652 N/A

CVE-2026-21651 N/A

CVE-2026-21650 N/A

CVE-2026-21649 N/A

CVE-2026-21648 N/A