5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-29529

GHSA ID

GHSA-6g67-q39g-r79q

EPSS Score

0.40329%

CWE

CWE-862

Published

4/14/2023

Updated

4/25/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-29529

CVE-2023-29529: matrix-js-sdk vulnerable to invisible eavesdropping in group calls

Impact

An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker will not appear to be participating in the call.

This attack is possible because matrix-js-sdk's group call implementation accepts incoming direct calls from other users, even if they have not yet declared intent to participate in the group call, as a means of resolving a race condition in call setup. Affected versions do not restrict access to the user's outbound media in this case.

Legacy 1:1 calls are unaffected.

Workarounds

Users may hold group calls in private rooms where only the exact users who are expected to participate in the call are present.

(GitHub Advisory)

5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-29529

GHSA ID

GHSA-6g67-q39g-r79q

EPSS Score

0.40329%

CWE

CWE-862

Published

4/14/2023

Updated

4/25/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
matrix-js-sdk	npm	< 24.1.0	24.1.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing authorization checks during group call setup. The SDK accepted incoming direct calls even when the caller hadn't declared participation via m.call.member events. Functions responsible for handling incoming call invites (e.g., handleIncomingCall, onCallInvite) would be the logical points where this check was omitted. The CWE-862 (Missing Authorization) aligns with this scenario, and the patched version (24.1.0) likely added participant validation in these functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *n *tt**k*r pr*s*nt in * room w**r* *n [MS*****](*ttps://*it*u*.*om/m*trix-or*/m*trix-sp**-propos*ls/pull/****) *roup **ll is t*kin* pl*** **n **v*s*rop on t** vi**o *n* *u*io o* p*rti*ip*nts usin* m*trix-js-s*k, wit*out t**ir knowl****.

Reasoning

T** vuln*r**ility st*ms *rom missin* *ut*oriz*tion ****ks *urin* *roup **ll s*tup. T** S*K ****pt** in*omin* *ir**t **lls *v*n w**n t** **ll*r ***n't ***l*r** p*rti*ip*tion vi* `m.**ll.m*m**r` *v*nts. *un*tions r*sponsi*l* *or **n*lin* in*omin* **ll

5

Basic Information

Concerned about an active attack path?

CVE-2023-29529: matrix-js-sdk vulnerable to invisible eavesdropping in group calls

Impact

Workarounds

5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI