216.73.217.98

CVE-2025-59160

· Published 16/09/2025 17:15 · Modified 17/09/2025 14:18

Labels: CVE-2025-59160 2025-09-16CVE-2025-59160CWE-345[email protected]

Essential information

Published
16/09/2025 17:15
Modified
17/09/2025 14:18
Author
Creator
CVSS
2.7 LOW (v3) 2.7 LOW (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Matrix JavaScript SDK is a Matrix Client-Server SDK for JavaScript and TypeScript. matrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in MatrixClient::getJoinedRooms, allowing a remote attacker to attempt to replace a tombstoned room with an unrelated attacker-supplied room. The issue has been patched and users should upgrade to 38.2.0. A workaround is to avoid using MatrixClient::getJoinedRooms in favor of getRooms() and filtering upgraded rooms separately.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
matrix / matrix js sdk cpe:2.3:a:matrix:matrix_js_sdk:<38.2.0:*:*:*:*:*:*:*

References