CVE-2024-42347 – A malicious Matrix homeserver can manipulate us... (How to Fix)

Q: What is the severity of CVE-2024-42347?

CVE-2024-42347 has a CVSS score of 7.7 (HIGH). A malicious Matrix homeserver can manipulate user account data to force the matrix-react-sdk client to enable URL previews in end-to-end encrypted rooms. This causes URLs from encrypted messages to be sent to the server, potentially leaking sensitive information. Only users connecting to untrusted homeservers are affected; trusted server deployments are safe.

📋 TL;DR

A malicious Matrix homeserver can manipulate user account data to force the matrix-react-sdk client to enable URL previews in end-to-end encrypted rooms. This causes URLs from encrypted messages to be sent to the server, potentially leaking sensitive information. Only users connecting to untrusted homeservers are affected; trusted server deployments are safe.

💻 Affected Systems

Products:

matrix-react-sdk

Versions: All versions before 3.105.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using untrusted homeservers; trusted servers or closed federations are not vulnerable.

📦 What is this software?

Matrix React Sdk by Matrix

View all CVEs affecting Matrix React Sdk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive URLs from encrypted conversations are exfiltrated to a malicious server, potentially revealing private information, locations, or credentials.

🟠

Likely Case

URLs from encrypted messages are sent to the server without user consent, compromising privacy expectations in end-to-end encrypted rooms.

🟢

If Mitigated

No impact if using trusted homeservers or patched versions; URL previews remain disabled in encrypted rooms as intended.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires control of a malicious homeserver to manipulate account data; client-side exploitation not possible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.105.0

Vendor Advisory: https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-f83w-wqhc-cfp4

Restart Required: Yes

Instructions:

1. Update matrix-react-sdk to version 3.105.0 or later. 2. Restart the application or web service using the SDK. 3. Verify the update by checking the version.

🧯 If You Can't Patch

Use only trusted homeservers with verified integrity.
Disable URL previews globally in client settings if possible.

🔍 How to Verify

Check if Vulnerable:

Check the matrix-react-sdk version in your project dependencies; versions below 3.105.0 are vulnerable.

Check Version:

npm list matrix-react-sdk (for Node.js projects) or check package.json version.

Verify Fix Applied:

Confirm matrix-react-sdk version is 3.105.0 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Unusual account data updates from homeserver triggering URL preview settings in logs.
URL preview requests originating from encrypted rooms.

Network Indicators:

Unexpected HTTP requests to preview URL endpoints from clients in encrypted contexts.

SIEM Query:

Search for events where URL previews are enabled in encrypted rooms without user action.

📊 Metadata

CVE ID: CVE-2024-42347

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-359

Published: August 6, 2024

Last Updated: August 12, 2024

🔗 References

https://github.com/matrix-org/matrix-react-sdk/releases/tag/v3.105.1 Release Notes
https://github.com/matrix-org/matrix-react-sdk/security/advisories/GHSA-f83w-wqhc-cfp4 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-42347, you might also want to check these: