Medium severityOSV Advisory· Published Nov 12, 2024· Updated Jun 17, 2026
CVE-2024-50336
CVE-2024-50336
Description
matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. matrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver. Fixed in matrix-js-sdk 34.11.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
matrix-js-sdknpm | < 34.11.1 | 34.11.1 |
Affected products
9- Range: no-media-devices-release, v0.1.0, v0.1.1, …
- ghsa-coords8 versionspkg:npm/matrix-js-sdkpkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Tumbleweedpkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP5pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP6
< 34.11.1+ 7 more
- (no CPE)range: < 34.11.1
- (no CPE)range: < 128.5.2-150200.8.194.1
- (no CPE)range: < 128.5.2-150200.8.194.1
- (no CPE)range: < 128.5.2-1.1
- (no CPE)range: < 128.5.2-150200.8.194.1
- (no CPE)range: < 128.5.2-150200.8.194.1
- (no CPE)range: < 128.5.2-150200.8.194.1
- (no CPE)range: < 128.5.2-150200.8.194.1
Patches
Vulnerability mechanics
References
5News mentions
0No linked articles in our index yet.