Prototype pollution in matrix-react-sdk
Description
matrix-react-sdk is a Matrix chat protocol SDK for React Javascript. In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the Object.prototype, disrupting matrix-react-sdk functionality, causing denial of service and potentially affecting program logic. This is fixed in matrix-react-sdk 3.69.0 and users are advised to upgrade. There are no known workarounds for this vulnerability. Note this advisory is distinct from GHSA-2x9c-qwgf-94xr which refers to a similar issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution in matrix-react-sdk via malicious server events can cause denial of service; fixed in version 3.69.0.
Vulnerability
CVE-2023-28103 is a prototype pollution vulnerability in matrix-react-sdk, the React-based SDK used by Element Web/Desktop and Cinny. In certain configurations, data sent by remote servers containing special strings in key locations can modify Object.prototype, disrupting normal SDK functionality [1][2][3]. This is the second part of a pair of similar issues; the first part (CVE-2022-36060) was patched in matrix-react-sdk 3.53.0 but disclosed only after a subsequent codebase audit identified the remaining vectors addressed by this CVE [4].
Exploitation
An attacker controlling a Matrix server can craft events with specially crafted keys that, when processed by a vulnerable client, lead to prototype pollution. No user interaction beyond receiving the malicious event is required; the attack surface is the normal server-client communication channel [2][3].
Impact
Successful exploitation causes denial of service by temporarily disrupting SDK functionality. While the Matrix.org advisory classifies this as High severity and notes that only a DoS impact has been demonstrated, prototype pollution can potentially affect program logic and the ability to process data safely. The advisory explicitly does not rule out a more severe impact [3].
Mitigation
The vulnerability is fixed in matrix-react-sdk version 3.69.0. Users of affected clients (Element Web/Desktop, Cinny, and others) are advised to upgrade without delay. No workarounds exist [2][3][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
matrix-react-sdknpm | < 3.69.0 | 3.69.0 |
Affected products
2- matrix-org/matrix-react-sdkv5Range: < 3.69.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-6g43-88cp-w5gvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-28103ghsaADVISORY
- github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-2x9c-qwgf-94xrghsaWEB
- github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-6g43-88cp-w5gvghsax_refsource_CONFIRMWEB
- matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.