URL preview setting for a room is controllable by the homeserver in matrix-react-sdk
Description
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server. This was patched in matrix-react-sdk 3.105.0. Deployments that trust their homeservers, as well as closed federations of trusted servers, are not affected. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A malicious homeserver can enable URL previews in encrypted Matrix rooms, leaking encrypted URLs to the server.
Vulnerability
CVE-2024-42347 affects matrix-react-sdk, a React-based SDK for building Matrix chat/voip clients. A malicious homeserver can manipulate a user's account data to force the client to enable URL previews in end-to-end encrypted rooms. This causes any URLs present in encrypted messages to be sent to the homeserver, undermining the confidentiality of encrypted communications [1][4].
Exploitation
Exploitation requires a malicious or compromised homeserver. The attacker modifies the user's account data to set a flag that enables URL previews for a given room. No user interaction beyond being a member of the room is needed. Deployments that fully trust their homeserver, or operate within closed federations of trusted servers, are not affected [1].
Impact
An attacker controlling the homeserver gains the ability to observe the URLs that users click in encrypted rooms. While the message content itself remains encrypted, the URLs are leaked to the server, potentially exposing sensitive information such as authentication tokens or private resources [4].
Mitigation
The vulnerability is patched in matrix-react-sdk versions 3.105.0 and 3.105.1 [1][3]. Users are strongly advised to upgrade to the latest version. There are no known workarounds; the only alternative is to ensure the homeserver is trusted [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
matrix-react-sdknpm | < 3.105.1 | 3.105.1 |
Affected products
2- matrix-org/matrix-react-sdkv5Range: < 3.105.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-f83w-wqhc-cfp4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-42347ghsaADVISORY
- github.com/matrix-org/matrix-react-sdk/releases/tag/v3.105.1ghsax_refsource_MISCWEB
- github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-f83w-wqhc-cfp4ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.