5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-36402

GHSA ID

GHSA-8vmr-h7h5-cqhg

EPSS Score

0.33258%

CWE

CWE-287

Published

1/16/2025

Updated

1/17/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-36402

CVE-2024-36402: matrix-media-repo (MMR) allows unauthenticated writes to the media repository, which may allow planting of problematic content

Impact

MMR before version 1.3.5 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository.

Patches

MMR 1.3.5 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector.

Workarounds

Though extremely limited, server operators can use more strict rate limits based on IP address.

References

https://github.com/matrix-org/matrix-spec-proposals/pull/3916

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-36402

GHSA ID

GHSA-8vmr-h7h5-cqhg

EPSS Score

0.33258%

CWE

CWE-287

Published

1/16/2025

Updated

1/17/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/t2bot/matrix-media-repo	go	< 1.3.5	1.3.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key aspects: 1) Unauthenticated client-facing media endpoints that allowed triggering remote media caching, and 2) Federation handlers that accepted media without proper authentication. The first function represents the client-facing API endpoints (/_matrix/media/*) that lacked authentication checks before 1.3.5. The second function relates to federation pathways that may have allowed unauthorized media storage. Confidence is high for the client endpoints based on explicit patch notes about adding authenticated alternatives, and medium for federation handling based on the vulnerability's remote attack vector description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t MMR ***or* v*rsion *.*.* *llows, *y **si*n, un*ut**nti**t** r*mot* p*rti*ip*nts to tri***r * *ownlo** *n* ****in* o* r*mot* m**i* *rom * r*mot* *om*s*rv*r to t** lo**l m**i* r*pository. Su** *ont*nt t**n *lso ***om*s *v*il**l* *or *ownlo*

Reasoning

T** vuln*r**ility st*ms *rom two k*y *sp**ts: *) Un*ut**nti**t** *li*nt-***in* m**i* *n*points t**t *llow** tri***rin* r*mot* m**i* ****in*, *n* *) ****r*tion **n*l*rs t**t ****pt** m**i* wit*out prop*r *ut**nti**tion. T** *irst `*un*tion` r*pr*s*nts

5.3

Basic Information

Concerned about an active attack path?

CVE-2024-36402: matrix-media-repo (MMR) allows unauthenticated writes to the media repository, which may allow planting of problematic content

Impact

Patches

Workarounds

References

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI