7.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36059

GHSA ID

GHSA-rfv9-x7hh-xc32

EPSS Score

0.74215%

CWE

CWE-1321

Published

3/28/2023

Updated

3/28/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-36059

CVE-2022-36059:
matrix-js-sdk Prototype Pollution vulnerability

Impact

Events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer.

Patches

This is fixed in matrix-js-sdk 19.4.0.

Workarounds

Redacting applicable events, waiting for the sync processor to store data, and restarting the client can often fix it. Alternatively, redacting the applicable events and clearing all storage will often fix most perceived issues.

In some cases, no workarounds are possible.

References

https://learn.snyk.io/lessons/prototype-pollution/javascript/

For more information

If you have any questions or comments about this advisory please email us at security at matrix.org.

(GitHub Advisory)

7.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36059

GHSA ID

GHSA-rfv9-x7hh-xc32

EPSS Score

0.74215%

CWE

CWE-1321

Published

3/28/2023

Updated

3/28/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
matrix-js-sdk	npm	< 19.4.0	19.4.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Prototype pollution vulnerabilities typically occur in functions that: 1) Process untrusted JSON input 2) Use recursive object merging 3) Assign properties using user-controlled keys. The advisory specifically mentions event processing impacts, pointing to functions handling event content parsing (EventUtils) and sync processing (SyncApi). The deepCopy utility is a common pattern vulnerable to prototype pollution when not using safe merging. The high confidence for utils.deepCopy and EventUtils.parseEventContent comes from their direct role in processing event data, while SyncApi._processRoomEvents gets medium confidence due to its position in the sync workflow mentioned in workarounds.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *v*nts s*nt wit* sp**i*l strin*s in k*y pl***s **n t*mpor*rily *isrupt or imp*** t** m*trix-js-s*k *rom *un*tionin* prop*rly, pot*nti*lly imp**tin* t** *onsum*r's **ility to pro**ss **t* s***ly. Not* t**t t** m*trix-js-s*k **n *pp**r to **

Reasoning

Prototyp* pollution vuln*r**iliti*s typi**lly o**ur in *un*tions t**t: *) `Pro**ss` untrust** JSON input *) Us* r**ursiv* o*j**t m*r*in* *) *ssi*n prop*rti*s usin* us*r-*ontroll** k*ys. T** **visory sp**i*i**lly m*ntions *v*nt pro**ssin* imp**ts, poi

7.2

Basic Information

Concerned about an active attack path?

CVE-2022-36059: matrix-js-sdk Prototype Pollution vulnerability

Impact

Patches

Workarounds

References

For more information

7.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-36059:
matrix-js-sdk Prototype Pollution vulnerability

Vulnerability Intelligence
Miggo AI