Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

matrix-org — Vulnerabilities & Security Advisories 80

Browse all 80 CVE security advisories affecting matrix-org. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Matrix.org operates the open-source Matrix protocol, a decentralized communication standard enabling real-time chat, VoIP, and collaboration across federated servers. This architecture allows users to choose their own homeservers while maintaining interoperability with other platforms. Historically, vulnerabilities within the reference implementation and related components have frequently involved server-side request forgery, cross-site scripting, and improper access controls. These flaws often stem from complex federation logic or insufficient input validation in web interfaces. Notable incidents include critical privilege escalation bugs that allowed unauthenticated attackers to execute arbitrary code or access private user data. The project’s reliance on a large ecosystem of third-party clients and bridges introduces additional attack surfaces, requiring rigorous security audits. While the protocol itself emphasizes end-to-end encryption, implementation errors in the core server software have repeatedly exposed sensitive information, highlighting the challenges of securing decentralized infrastructure.

Top products by matrix-org: synapse matrix-js-sdk matrix-appservice-irc matrix-react-sdk matrix-rust-sdk sydent matrix-appservice-bridge gomatrixserverlib matrix-android-sdk2 matrix-ios-sdk matrix-hookshot vodozemac dendrite matrix-sdk-crypto mjolnir pinecone
CVE IDTitleCVSSSeverityPublished
CVE-2022-29166 Improper handling of multiline messages in matrix-appservice-irc — matrix-appservice-ircCWE-74 8.0 High2022-05-05
CVE-2021-41281 Path traversal in Matrix Synapse — synapseCWE-22 7.5 High2021-11-23
CVE-2021-39164 Improper authorisation of /members discloses room membership to non-members — synapseCWE-200 3.1 Low2021-08-31
CVE-2021-39163 Adding a private/unlisted room to a community exposes room metadata in an unauthorised manner. — synapseCWE-200 3.1 Low2021-08-31
CVE-2021-32659 Automatic room upgrade handling can be used maliciously to bridge a room non-consentually — matrix-appservice-bridgeCWE-306 6.5 Medium2021-06-16
CVE-2021-32622 File upload local preview can run embedded scripts after user interaction — matrix-react-sdkCWE-74 4.2 Medium2021-05-17
CVE-2021-29471 Denial of service in Matrix Synapse — synapseCWE-400 3.7 Low2021-05-11
CVE-2021-29431 SSRF in Sydent due to missing validation of hostnames — sydentCWE-20 7.7 High2021-04-15
CVE-2021-29432 Malicious users could control the content of invitation emails — sydentCWE-20 5.3 Medium2021-04-15
CVE-2021-29430 Denial of service attack via memory exhaustion — sydentCWE-20 7.5 High2021-04-15
CVE-2021-29433 Denial of service (via resource exhaustion) due to improper input validation — sydentCWE-20 4.3 Medium2021-04-15
CVE-2021-21392 Open redirect via transitional IPv6 addresses on dual-stack networks — synapseCWE-601 6.3 Medium2021-04-12
CVE-2021-21393 Denial of service (via resource exhaustion) due to improper input validation on groups/communities endpoints — synapseCWE-20 5.3 Medium2021-04-12
CVE-2021-21394 Denial of service (via resource exhaustion) due to improper input validation on third-party identifier endpoints — synapseCWE-20 5.3 Medium2021-04-12
CVE-2021-21333 HTML injection in email and account expiry notifications — synapseCWE-74 6.1 Medium2021-03-26
CVE-2021-21332 Cross-site scripting (XSS) vulnerability in the password reset endpoint — synapseCWE-79 6.9 Medium2021-03-26
CVE-2021-21320 User content sandbox can be confused into opening arbitrary documents — matrix-react-sdkCWE-345 2.6 Low2021-03-02
CVE-2021-21273 Open redirects on some federation and push requests — synapseCWE-601 3.1 Low2021-02-26
CVE-2021-21274 Denial of service attack via .well-known lookups — synapseCWE-400 4.3 Medium2021-02-26
CVE-2020-26257 Denial of service attack via incorrect parameters to federation APIs — synapseCWE-400 6.5 Medium2020-12-09

This page lists every published CVE security advisory associated with matrix-org. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.