Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

matrix-org — Vulnerabilities & Security Advisories 80

Browse all 80 CVE security advisories affecting matrix-org. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by matrix-org:synapsematrix-js-sdkmatrix-appservice-ircmatrix-react-sdkmatrix-rust-sdksydentmatrix-appservice-bridgegomatrixserverlibmatrix-android-sdk2matrix-ios-sdkmatrix-hookshotvodozemacdendritematrix-sdk-cryptomjolnirpinecone
CVE IDTitleCVSSSeverityPublished
CVE-2025-66622 matrix-sdk-base is vulnerable to DoS via custom m.room.join_rules event values — matrix-rust-sdkCWE-755 7.5AIHighAI2025-12-09
CVE-2025-59160 matrix-js-sdk has insufficient validation when considering a room to be upgraded by another — matrix-js-sdkCWE-345 7.5AIHighAI2025-09-16
CVE-2025-59047 matrix-sdk-base has panic in the `RoomMember::normalized_power_level()` method — matrix-rust-sdkCWE-682 7.5AIHighAI2025-09-11
CVE-2025-53549 Matrix Rust SDK allows SQL injection in the EventCache implementation — matrix-rust-sdkCWE-89 8.8AIHighAI2025-07-10
CVE-2025-48937 matrix-sdk-crypto vulnerable to sender of encrypted events being spoofed by homeserver administrator — matrix-rust-sdkCWE-290 4.9 Medium2025-06-10
CVE-2025-27155 In-memory stored Cross-site scripting (XSS) vulnerability in pineconesim — pineconeCWE-79 6.1 Medium2025-03-04
CVE-2025-27146 Matrix IRC Bridge allows IRC command injection to own puppeted user — matrix-appservice-ircCWE-77 2.7 Low2025-02-25
CVE-2025-23197 matrix-hookshot has a Potential Denial of Service when Hookshot is configured with GitHub support — matrix-hookshotCWE-754 6.5 Medium2025-01-27
CVE-2025-24024 Mjolnir v1.9.0 accepts commands from any room — mjolnirCWE-671 9.1 Critical2025-01-21
CVE-2024-52594 Server-Side Request Forgery (SSRF) on redirects and federation in gomatrixserverlib — gomatrixserverlibCWE-918 4.3 Medium2025-01-16
CVE-2024-52813 matrix-sdk-crypto missing facility to signal rotation of a verified cryptographic identity — matrix-rust-sdkCWE-223 4.3 Medium2025-01-07
CVE-2024-52505 matrix-appservice-irc allows IRC Command injection in provisioning API — matrix-appservice-ircCWE-147 5.4 Medium2024-11-14
CVE-2024-50336 matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal — matrix-js-sdkCWE-22 7.1AIHighAI2024-11-12
CVE-2024-47824 Malicious homeservers can steal message keys when the matrix-react-sdk user invites another user to a room — matrix-react-sdkCWE-200 6.5 -2024-10-15
CVE-2024-47080 matrix-js-sdk keys sent via `sendSharedHistoryKeys` vulnerable to interception by malicious homeserver — matrix-js-sdkCWE-200 7.5 -2024-10-15
CVE-2024-42369 A room with itself as a its predecessor will freeze matrix-js-sdk — matrix-js-sdkCWE-674 4.1 Medium2024-08-20
CVE-2024-42347 URL preview setting for a room is controllable by the homeserver in matrix-react-sdk — matrix-react-sdkCWE-359 7.7 High2024-08-06
CVE-2024-40648 `UserIdentity::is_verified` not checking verification status of own user identity while performing the check in matrix-rust-sdk — matrix-rust-sdkCWE-287 5.4 Medium2024-07-18
CVE-2024-40640 Usage of non-constant time base64 decoder could lead to leakage of secret key material in vodozemac — vodozemacCWE-208 2.9 Low2024-07-17
CVE-2024-39691 Malicious Matrix homeserver can leak truncated message content of messages it shouldn't have access to — matrix-appservice-ircCWE-280 4.3 Medium2024-07-05
CVE-2024-34353 matrix-sdk-crypto contains a log exposure of private key of the server-side key backup — matrix-sdk-cryptoCWE-532 5.5 Medium2024-05-13
CVE-2024-34063 Degraded secret zeroization capabilities in vodozemac — vodozemacCWE-1188 2.5 Low2024-05-03
CVE-2024-32000 Truncated content of messages can be leaked from matrix-appservice-irc — matrix-appservice-ircCWE-280 4.3 Medium2024-04-12
CVE-2023-43796 Synapse vulnerable to leak of remote user device information — synapseCWE-200 5.3 Medium2023-10-31
CVE-2023-45129 matrix-synapse vulnerable to denial of service due to malicious server ACL events — synapseCWE-770 4.9 Medium2023-10-10
CVE-2023-43656 Sandbox escape for instances that have enabled transformation functions in matrix-hookshot — matrix-hookshotCWE-74 5.6 Medium2023-09-27
CVE-2023-41335 Temporary storage of plaintext passwords during password changes in matrix synapse — synapseCWE-312 3.7 Low2023-09-26
CVE-2023-42453 Improper validation of receipts allows forged read receipts in matrix synapse — synapseCWE-285 3.1 Low2023-09-26
CVE-2023-38700 matrix-appservice-irc events can be crafted to leak parts of targeted messages from other bridged rooms — matrix-appservice-ircCWE-200 3.5 Low2023-08-04
CVE-2023-38691 matrix-appservice-bridge doesn't verify the sub parameter of an openId token exhange, allowing unauthorized access to provisioning APIs — matrix-appservice-bridgeCWE-287 5.0 Medium2023-08-04

This page lists every published CVE security advisory associated with matrix-org. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.