7.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36060

GHSA ID

GHSA-2x9c-qwgf-94xr

EPSS Score

0.40509%

CWE

CWE-1321

Published

3/28/2023

Updated

3/28/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-36060

CVE-2022-36060: matrix-react-sdk Prototype pollution vulnerability

Impact

Events sent with special strings in key places can temporarily disrupt or impede the matrix-react-sdk from functioning properly, such as by causing room or event tile crashes. The remainder of the application can appear functional, though certain rooms/events will not be rendered.

Patches

This is fixed in matrix-react-sdk 3.53.0

Workarounds

There are no workarounds. Please upgrade immediately.

References

https://learn.snyk.io/lessons/prototype-pollution/javascript/

For more information

If you have any questions or comments about this advisory please email us at security at matrix.org.

(GitHub Advisory)

7.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36060

GHSA ID

GHSA-2x9c-qwgf-94xr

EPSS Score

0.40509%

CWE

CWE-1321

Published

3/28/2023

Updated

3/28/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
matrix-react-sdk	npm	< 3.53.0	3.53.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The provided information describes a prototype pollution vulnerability in matrix-react-sdk but does not include specific code examples, commit diffs, or file paths that would allow identification of exact vulnerable functions. While the CWE-1321 classification and impact description suggest improper handling of object properties (likely in event processing or object manipulation utilities), the lack of technical details about the implementation of the vulnerability and the corresponding patch makes it impossible to pinpoint specific functions with high confidence. The security advisory and release notes reference the fix but do not provide implementation-level details required for function identification.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *v*nts s*nt wit* sp**i*l strin*s in k*y pl***s **n t*mpor*rily *isrupt or imp*** t** m*trix-r***t-s*k *rom *un*tionin* prop*rly, su** *s *y **usin* room or *v*nt til* *r*s**s. T** r*m*in**r o* t** *ppli**tion **n *pp**r *un*tion*l, t*ou**

Reasoning

T** provi*** in*orm*tion **s*ri**s * prototyp* pollution vuln*r**ility in `m*trix-r***t-s*k` *ut *o*s not in*lu** sp**i*i* *o** *x*mpl*s, *ommit *i**s, or *il* p*t*s t**t woul* *llow i**nti*i**tion o* *x**t vuln*r**l* `*un*tions`. W*il* t** `*W*-****

7.2

Basic Information

Concerned about an active attack path?

CVE-2022-36060: matrix-react-sdk Prototype pollution vulnerability

Impact

Patches

Workarounds

References

For more information

7.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI