Matrix JavaScript SDK Insufficient Room Link Validation Vulnerability

A vulnerability exists in the Matrix JavaScript SDK in versions prior to 38.2.0, due to inadequate validation of room predecessor links in the 'getJoinedRooms' method. This flaw allows remote attackers to attempt to replace a tombstoned room with an unrelated room of their choosing. The vulnerability could be exploited by manipulating room replacement claims, potentially leading to confusion or disruption in room management.

Impact

Exploitation of this vulnerability could allow an attacker to disrupt the normal functioning of room management by replacing tombstoned rooms with unrelated ones, which could cause confusion or miscommunication in collaborative environments.

Reproduction

To reproduce this vulnerability, use a version of the Matrix JavaScript SDK prior to 38.2.0. Call the 'getJoinedRooms' method on a 'MatrixClient' instance. The method will return rooms without properly validating their upgrade relationships. This allows for the replacement of tombstoned rooms with attacker-supplied rooms, which can be demonstrated by creating a room that claims to replace a tombstoned one, without the necessary validation being enforced.

Remediation

Users are advised to upgrade to Matrix JavaScript SDK version 38.2.0 or later. As a temporary workaround, avoid using the 'MatrixClient::getJoinedRooms' method and instead use 'getRooms()', filtering upgraded rooms separately.