Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

matrix-org — Vulnerabilities & Security Advisories 80

Browse all 80 CVE security advisories affecting matrix-org. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Matrix.org operates the open-source Matrix protocol, a decentralized communication standard enabling real-time chat, VoIP, and collaboration across federated servers. This architecture allows users to choose their own homeservers while maintaining interoperability with other platforms. Historically, vulnerabilities within the reference implementation and related components have frequently involved server-side request forgery, cross-site scripting, and improper access controls. These flaws often stem from complex federation logic or insufficient input validation in web interfaces. Notable incidents include critical privilege escalation bugs that allowed unauthenticated attackers to execute arbitrary code or access private user data. The project’s reliance on a large ecosystem of third-party clients and bridges introduces additional attack surfaces, requiring rigorous security audits. While the protocol itself emphasizes end-to-end encryption, implementation errors in the core server software have repeatedly exposed sensitive information, highlighting the challenges of securing decentralized infrastructure.

Top products by matrix-org: synapse matrix-js-sdk matrix-appservice-irc matrix-react-sdk matrix-rust-sdk sydent matrix-appservice-bridge gomatrixserverlib matrix-android-sdk2 matrix-ios-sdk matrix-hookshot vodozemac dendrite matrix-sdk-crypto mjolnir pinecone
CVE IDTitleCVSSSeverityPublished
CVE-2023-38690 matrix-appservice-irc IRC command injection via admin commands containing newlines — matrix-appservice-ircCWE-20 5.8 Medium2023-08-04
CVE-2023-38686 Sydent does not verify email server certificates — sydentCWE-295 9.3 Critical2023-08-04
CVE-2023-37259 Cross site scripting in Export Chat feature — matrix-react-sdkCWE-79 6.1 Medium2023-07-18
CVE-2023-32683 URL deny list bypass via oEmbed and image URLs when generating previews in Synapse — synapseCWE-863 3.5 Low2023-06-06
CVE-2023-32682 Improper checks for deactivated users during login in synapse — synapseCWE-287 5.4 Medium2023-06-06
CVE-2022-39374 Synapse Denial of service due to incorrect application of event authorization rules during state resolution — synapseCWE-400 5.3 -2023-05-26
CVE-2022-39335 Synapse does not apply enough checks to servers requesting auth events of events in a room — synapseCWE-200 5.0 Medium2023-05-26
CVE-2023-32323 Synapse Outgoing federation to specific hosts can be disabled by sending malicious invites — synapseCWE-20 5.0 Medium2023-05-26
CVE-2023-30609 matrix-react-sdk vulnerable to HTML injection in search results via plaintext message highlighting — matrix-react-sdkCWE-74 5.4 Medium2023-04-25
CVE-2023-29529 matrix-js-sdk vulnerable to invisible eavesdropping in group calls — matrix-js-sdkCWE-862 5.0 Medium2023-04-14
CVE-2022-36060 Prototype pollution in matrix-react-sdk — matrix-react-sdkCWE-1321 8.2 High2023-03-28
CVE-2023-28103 Prototype pollution in matrix-react-sdk — matrix-react-sdkCWE-1321 8.2 High2023-03-28
CVE-2023-28427 Prototype pollution in matrix-js-sdk — matrix-js-sdkCWE-1321 8.2 High2023-03-28
CVE-2022-36059 Prototype pollution in matrix-js-sdk — matrix-js-sdkCWE-1321 8.2 High2023-03-28
CVE-2022-41952 Uncontrolled Resource Consumption in Matrix Synapse — synapseCWE-400 6.5 Medium2022-11-22
CVE-2022-39252 When matrix-rust-sdk recieves forwarded room keys, the reciever doesn't check if it requested the key from the forwarder — matrix-rust-sdkCWE-322 8.6 High2022-09-29
CVE-2022-39250 Matrix JavaScript SDK vulnerable to key/device identifier confusion in SAS verification — matrix-js-sdkCWE-322 8.6 High2022-09-29
CVE-2022-39257 Matrix iOS SDK vulnerable to impersonation via forwarded Megolm sessions — matrix-ios-sdkCWE-322 7.5 High2022-09-28
CVE-2022-39255 Matrix iOS SDK vulnerable ton Olm/Megolm protocol confusion — matrix-ios-sdkCWE-322 8.6 High2022-09-28
CVE-2022-39248 matrix-android-sdk2 vulnerable to Olm/Megolm protocol confusion — matrix-android-sdk2CWE-322 8.6 High2022-09-28
CVE-2022-39246 matrix-android-sdk2 vulnerable to impersonation via forwarded Megolm sessions — matrix-android-sdk2CWE-322 7.5 High2022-09-28
CVE-2022-39249 Matrix Javascript SDK vulnerable to impersonation via forwarded Megolm sessions — matrix-js-sdkCWE-322 7.5 High2022-09-28
CVE-2022-39251 Matrix Javascript SDK vulnerable to Olm/Megolm protocol confusion — matrix-js-sdkCWE-322 8.6 High2022-09-28
CVE-2022-39236 Matrix Javascript SDK improper beacon events can cause availability issues — matrix-js-sdkCWE-20 4.3 Medium2022-09-28
CVE-2022-39203 Parsing issue in matrix-org/node-irc leading to room takeovers — matrix-appservice-ircCWE-269 8.8 High2022-09-13
CVE-2022-39202 IRC mode parameter confusion in matrix-appservice-irc — matrix-appservice-ircCWE-269 4.3 Medium2022-09-13
CVE-2022-39200 Signature checks not applied to some retrieved missing events — dendriteCWE-347 7.3 High2022-09-12
CVE-2022-31152 Synapse vulnerable to denial of service (DoS) due to incorrect application of event authorization rules — synapseCWE-703 6.4 Medium2022-09-02
CVE-2022-36009 Incorrect parsing of access level in gomatrixserverlib and dendrite — gomatrixserverlibCWE-863 5.0 Medium2022-08-19
CVE-2022-31052 URL previews can crash Synapse media repositories or Synapse monoliths — synapseCWE-674 6.5 Medium2022-06-28

This page lists every published CVE security advisory associated with matrix-org. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.