VYPR
← All advisories
Medium severityOSV Advisory· Published Nov 12, 2024· Updated Apr 15, 2026

CVE-2024-50336

CVE-2024-50336

Description

matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. matrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver. Fixed in matrix-js-sdk 34.11.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

matrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs, allowing a malicious room member to issue arbitrary authenticated GET requests to the victim's homeserver.

## Vulnerability matrix-js-sdk before 34.11.0 fails to validate MXC URIs on the client side, leading to a path traversal vulnerability [3]. While the Matrix specification requires homeservers to validate MXC URIs to prevent path traversal, it does not mandate similar checks on the client side [1]. The SDK's insufficient validation allows crafted MXC URIs to traverse paths.

Exploitation

A malicious room member can send a specially crafted MXC URI that, when processed by a vulnerable client, causes the SDK to issue an authenticated GET request to the client's homeserver with an arbitrary path [4]. This attack requires no special privileges beyond being a member of a shared room; the victim does not need to interact with the URI beyond receiving it.

Impact

By exploiting this vulnerability, an attacker can leverage the victim's authenticated session to make arbitrary GET requests to the homeserver. This could allow the attacker to access sensitive endpoints, read private data, or perform actions on behalf of the victim, depending on the homeserver's API [4].

Mitigation

The vulnerability is fixed in matrix-js-sdk version 34.11.1 [3]. No workarounds are available; users should update to the patched version immediately [4].

References
  1. Client-Server API
  2. NVD - CVE-2024-50336
  3. Insufficient MXC URI validation allows client-side path traversal

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
matrix-js-sdknpm
< 34.11.134.11.1

Affected products

1

Patches

1
b4c4355d1a34
https://github.com/matrix-org/matrix-js-sdkvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.