Listen to this Post
The vulnerability exists within the `MatrixClient::getJoinedRooms()` method of the matrix-js-sDK. When a room is tombstoned (marked for upgrade), it contains a link (m.room.predecessor) to its replacement room. The SDK insufficiently validated these predecessor links. An attacker could create a malicious room and craft a predecessor event in a tombstoned room that points to it. When `getJoinedRooms()` is called, it would incorrectly consider the malicious, attacker-supplied room as the legitimate upgraded successor of the tombstoned room instead of performing proper validation to ensure the new room was created from a legitimate upgrade event.
Platform: matrix-js-sDK
Version: <38.2.0
Vulnerability: Insufficient Validation
Severity: Low
date: 2025-09-16
Prediction: Patch Available
What Undercode Say:
`MatrixClient::getJoinedRooms()`
`m.room.predecessor`
`getRooms()`
How Exploit:
Malicious predecessor event.
Room replacement attack.
Protection from this CVE
Upgrade to v38.2.0.
Use `getRooms()` instead.
Impact:
Unauthorized room replacement.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

