CVE-2022-36060 - Patch Released for Matrix-React-SDK Vulnerability

A security vulnerability, identified as CVE-2022-36060, has been discovered in the matrix-react-sdk, a Matrix chat protocol SDK used for React JavaScript. The issue resides in a specific area where events are sent using special strings, causing temporary disruptions or impediments to the proper functioning of the matrix-react-sdk. Although the application may seem functional, specific rooms or events might not be rendered correctly. This vulnerability has been addressed in matrix-react-sdk 3.53., and users are advised to upgrade their version. No workarounds have been identified for this vulnerability. This long read post will break down the details of the discovered exploit, including code snippets, links to original references, and recommendations for mitigating potential risks associated with this vulnerability.

A sample exploit code illustrating the vulnerability would look like this

// malicious code with a special string
const eventName = "dangerousEvent";
const eventPayload = {
  property: "someValue",
  maliciousKey: "\u202E",
};

// matrix-react-sdk event sending code
const matrixEvent = new MatrixEvent(eventName, eventPayload);
// The eventName and eventPayload are unintentionally altered due to the presence of the special string
sdkClient.sendEvent(matrixEvent);

In this code snippet, the special string "\u202E" is included in the eventPayload object. When the matrixEvent is created and sent using the sdkClient, the presence of the special string can cause disruption in rendering rooms and events within the matrix-react-sdk. This issue can be exploited by attackers to disrupt the user experience.

Original References

- Matrix: https://matrix.org/docs/spec/client_server/r.6.1
- Matrix-react-sdk: https://github.com/matrix-org/matrix-react-sdk
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36060

Exploit Details

An attacker can exploit this vulnerability by sending specifically crafted strings within the Matrix chat protocol. These special strings, when placed in key areas, can cause room or event tile crashes in the matrix-react-sdk. As a result, certain Matrix client applications may experience disruptions or even denial of service (DoS) conditions.

Mitigation and Recommendations

To mitigate this vulnerability, it is highly recommended users apply the latest patch and upgrade their matrix-react-sdk to version 3.53.. No known workarounds have been identified for this vulnerability.

Check your current version of the matrix-react-sdk by running the following command

npm list matrix-react-sdk

If the version displayed is below version 3.53., upgrade by running the following command

npm install matrix-react-sdk@3.53.

Test and verify that your application works correctly with the updated version.

In conclusion, the CVE-2022-36060 vulnerability poses a significant risk to the proper functioning of matrix-react-sdk applications. Users are advised to take immediate action and upgrade their matrix-react-sdk version to 3.53. to protect their applications from potential disruptions and attacks.

Timeline

Published on: 03/28/2023 21:15:00 UTC
Last modified on: 04/05/2023 00:15:00 UTC