Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

matrix-org — Vulnerabilities & Security Advisories 80

Browse all 80 CVE security advisories affecting matrix-org. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Matrix.org operates the open-source Matrix protocol, a decentralized communication standard enabling real-time chat, VoIP, and collaboration across federated servers. This architecture allows users to choose their own homeservers while maintaining interoperability with other platforms. Historically, vulnerabilities within the reference implementation and related components have frequently involved server-side request forgery, cross-site scripting, and improper access controls. These flaws often stem from complex federation logic or insufficient input validation in web interfaces. Notable incidents include critical privilege escalation bugs that allowed unauthenticated attackers to execute arbitrary code or access private user data. The project’s reliance on a large ecosystem of third-party clients and bridges introduces additional attack surfaces, requiring rigorous security audits. While the protocol itself emphasizes end-to-end encryption, implementation errors in the core server software have repeatedly exposed sensitive information, highlighting the challenges of securing decentralized infrastructure.

Found 24 results / 80Clear Filters
Top products by matrix-org: synapse matrix-js-sdk matrix-appservice-irc matrix-react-sdk matrix-rust-sdk sydent matrix-appservice-bridge gomatrixserverlib matrix-android-sdk2 matrix-ios-sdk matrix-hookshot vodozemac dendrite matrix-sdk-crypto mjolnir pinecone
CVE IDTitleCVSSSeverityPublished
CVE-2023-43796 Synapse vulnerable to leak of remote user device information — synapseCWE-200 5.3 Medium2023-10-31
CVE-2023-45129 matrix-synapse vulnerable to denial of service due to malicious server ACL events — synapseCWE-770 4.9 Medium2023-10-10
CVE-2023-41335 Temporary storage of plaintext passwords during password changes in matrix synapse — synapseCWE-312 3.7 Low2023-09-26
CVE-2023-42453 Improper validation of receipts allows forged read receipts in matrix synapse — synapseCWE-285 3.1 Low2023-09-26
CVE-2023-32683 URL deny list bypass via oEmbed and image URLs when generating previews in Synapse — synapseCWE-863 3.5 Low2023-06-06
CVE-2023-32682 Improper checks for deactivated users during login in synapse — synapseCWE-287 5.4 Medium2023-06-06
CVE-2022-39374 Synapse Denial of service due to incorrect application of event authorization rules during state resolution — synapseCWE-400 5.3 -2023-05-26
CVE-2022-39335 Synapse does not apply enough checks to servers requesting auth events of events in a room — synapseCWE-200 5.0 Medium2023-05-26
CVE-2023-32323 Synapse Outgoing federation to specific hosts can be disabled by sending malicious invites — synapseCWE-20 5.0 Medium2023-05-26
CVE-2022-41952 Uncontrolled Resource Consumption in Matrix Synapse — synapseCWE-400 6.5 Medium2022-11-22
CVE-2022-31152 Synapse vulnerable to denial of service (DoS) due to incorrect application of event authorization rules — synapseCWE-703 6.4 Medium2022-09-02
CVE-2022-31052 URL previews can crash Synapse media repositories or Synapse monoliths — synapseCWE-674 6.5 Medium2022-06-28
CVE-2021-41281 Path traversal in Matrix Synapse — synapseCWE-22 7.5 High2021-11-23
CVE-2021-39164 Improper authorisation of /members discloses room membership to non-members — synapseCWE-200 3.1 Low2021-08-31
CVE-2021-39163 Adding a private/unlisted room to a community exposes room metadata in an unauthorised manner. — synapseCWE-200 3.1 Low2021-08-31
CVE-2021-29471 Denial of service in Matrix Synapse — synapseCWE-400 3.7 Low2021-05-11
CVE-2021-21392 Open redirect via transitional IPv6 addresses on dual-stack networks — synapseCWE-601 6.3 Medium2021-04-12
CVE-2021-21393 Denial of service (via resource exhaustion) due to improper input validation on groups/communities endpoints — synapseCWE-20 5.3 Medium2021-04-12
CVE-2021-21394 Denial of service (via resource exhaustion) due to improper input validation on third-party identifier endpoints — synapseCWE-20 5.3 Medium2021-04-12
CVE-2021-21333 HTML injection in email and account expiry notifications — synapseCWE-74 6.1 Medium2021-03-26
CVE-2021-21332 Cross-site scripting (XSS) vulnerability in the password reset endpoint — synapseCWE-79 6.9 Medium2021-03-26
CVE-2021-21273 Open redirects on some federation and push requests — synapseCWE-601 3.1 Low2021-02-26
CVE-2021-21274 Denial of service attack via .well-known lookups — synapseCWE-400 4.3 Medium2021-02-26
CVE-2020-26257 Denial of service attack via incorrect parameters to federation APIs — synapseCWE-400 6.5 Medium2020-12-09

This page lists every published CVE security advisory associated with matrix-org. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.