8.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-28103

GHSA ID

GHSA-6g43-88cp-w5gv

EPSS Score

0.45853%

CWE

CWE-1321

Published

3/29/2023

Updated

3/29/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-28103

CVE-2023-28103:
Prototype pollution in matrix-react-sdk

Impact

In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the Object.prototype, disrupting matrix-react-sdk functionality, causing denial of service and potentially affecting program logic.

(This is part 2, where CVE-2022-36060 / GHSA-2x9c-qwgf-94xr is part 1. Part 2 covers remaining vectors not covered by part 1, found in a codebase audit scheduled after part 1.)

Patches

This is fixed in matrix-react-sdk 3.69.0

Workarounds

None.

References

Release blog post
The advisory GHSA-2x9c-qwgf-94xr (CVE-2022-36060) refers to an initial set of vulnerable locations discovered and patched in matrix-react-sdk 3.53.0. We opted not to disclose that advisory while we performed an audit of the codebase and are now disclosing it jointly with this one.

For more information

If you have any questions or comments about this advisory please email us at security at matrix.org.

(GitHub Advisory)

8.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-28103

GHSA ID

GHSA-6g43-88cp-w5gv

EPSS Score

0.45853%

CWE

CWE-1321

Published

3/29/2023

Updated

3/29/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
matrix-react-sdk	npm	< 3.69.0	3.69.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The provided vulnerability information describes prototype pollution risks in matrix-react-sdk but does not include concrete code examples, commit diffs, or specific function names. While the general mechanism (unsafe object property assignment/merging with attacker-controlled keys like proto) is clear, the advisory and references lack sufficient technical details to confidently identify specific functions. The CVE and GHSA descriptions reference a codebase audit but do not disclose which functions were patched in 3.69.0. Without access to the actual code changes or patch details, it is not possible to pinpoint vulnerable functions with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t In **rt*in *on*i*ur*tions, **t* s*nt *y r*mot* s*rv*rs *ont*inin* sp**i*l strin*s in k*y lo**tions *oul* **us* mo*i*i**tions o* t** `O*j**t.prototyp*`, *isruptin* m*trix-r***t-s*k *un*tion*lity, **usin* **ni*l o* s*rvi** *n* pot*nti*lly **

Reasoning

T** provi*** vuln*r**ility in*orm*tion **s*ri**s prototyp* pollution risks in m*trix-r***t-s*k *ut *o*s not in*lu** *on*r*t* *o** *x*mpl*s, *ommit *i**s, or sp**i*i* *un*tion n*m*s. W*il* t** **n*r*l m****nism (uns*** o*j**t prop*rty *ssi*nm*nt/m*r*i

8.2

Basic Information

Concerned about an active attack path?

CVE-2023-28103: Prototype pollution in matrix-react-sdk

Impact

Patches

Workarounds

References

For more information

8.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-28103:
Prototype pollution in matrix-react-sdk

Vulnerability Intelligence
Miggo AI