File upload local preview can run embedded scripts after user interaction
Description
Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page. Before version 3.21.0, when uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file. This can only occur after several user interactions to open the preview in a separate tab. This only impacts the local user while in the process of uploading. It cannot be exploited remotely or by other users. This vulnerability is patched in version 3.21.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Matrix-React-SDK before 3.21.0 allows script execution via uploaded file preview after user interaction, patched in 3.21.0.
Vulnerability
In Matrix-React-SDK before version 3.21.0, when a user uploads a file, the local file preview mechanism can lead to execution of scripts embedded in the uploaded file. This occurs only after several user interactions to open the preview in a separate tab. [1][3]
Exploitation
An attacker must convince the local user to upload a file containing malicious scripts and then perform several interactions to open the preview in a separate tab. The vulnerability cannot be exploited remotely or by other users; it only impacts the local user during the upload process. [1][3]
Impact
Successful exploitation allows the embedded scripts to execute in the context of the local file preview, potentially leading to information disclosure or other client-side impacts within the user's browser session. [1][3]
Mitigation
The vulnerability is fixed in Matrix-React-SDK version 3.21.0, which includes pull request #5981 [2]. Users should upgrade to 3.21.0 or later. No workarounds are available. [3]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
matrix-react-sdknpm | < 3.21.0 | 3.21.0 |
Affected products
2- matrix-org/matrix-react-sdkv5Range: < 3.21.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-cg57-p69r-3m7pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32622ghsaADVISORY
- github.com/matrix-org/matrix-react-sdk/pull/5981ghsax_refsource_MISCWEB
- github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-8796-gc9j-63rvghsax_refsource_CONFIRMWEB
- www.npmjs.com/package/matrix-react-sdkghsaWEB
News mentions
0No linked articles in our index yet.