Prototype pollution in matrix-react-sdk
Description
matrix-react-sdk is a Matrix chat protocol SDK for React Javascript. Events sent with special strings in key places can temporarily disrupt or impede the matrix-react-sdk from functioning properly, such as by causing room or event tile crashes. The remainder of the application can appear functional, though certain rooms/events will not be rendered. This issue has been fixed in matrix-react-sdk 3.53.0 and users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Specially crafted Matrix events with malicious strings can crash room/event tiles in matrix-react-sdk before 3.53.0, causing selective denial of service.
Vulnerability
Overview
CVE-2022-36060 is a prototype pollution vulnerability in matrix-react-sdk, a React-based SDK for building Matrix chat clients. Events containing specially crafted strings in certain key fields can trigger crashes in room or event tile rendering, temporarily disrupting the normal display of affected conversations. The underlying issue stems from improper sanitization of event data, leading to prototype pollution that corrupts the SDK's internal state [1][2].
Attack
Vector and Exploitation
An attacker capable of sending messages to a Matrix room or otherwise injecting events can include malicious payloads in event content. No special privileges beyond the ability to send normal events are required; the vulnerability is triggered when the client processes the malformed event. The attack surface is limited to clients using the vulnerable SDK, and exploitation results in only partial denial of service—the rest of the application remains functional, but specific rooms or event tiles fail to render [4].
Impact
Successful exploitation causes selective denial of service by making certain rooms or messages invisible to the user. The attacker cannot execute arbitrary code or leak sensitive data, but can persistently disrupt communication within targeted rooms until the user restarts the client or clears caches. The vulnerability is classified with a CVSS score (per NVD) reflecting a medium-severity impact, with integrity and availability affected to a limited degree [2].
Mitigation
The issue has been fixed in matrix-react-sdk version 3.53.0, released on August 31, 2022. Users are strongly advised to upgrade immediately, as no effective workarounds exist. The fix is included in the corresponding Element Web releases. Affected versions of matrix-react-sdk are those prior to 3.53.0 [3][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
matrix-react-sdknpm | < 3.53.0 | 3.53.0 |
Affected products
2- matrix-org/matrix-react-sdkv5Range: < 3.53.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-2x9c-qwgf-94xrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36060ghsaADVISORY
- github.com/matrix-org/matrix-react-sdk/releases/tag/v3.53.0ghsaWEB
- github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-2x9c-qwgf-94xrghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.