Hi all,

Heads up that we made an emergency release of Riot/Web 0.13.5 a few hours ago to fix a XSS vulnerability found and reported by walle303 – many thanks for disclosing it responsibly.

Please upgrade to Riot/Web 0.13.5 asap. If you’re using riot.im/app or riot.im/develop this simply means hitting Refresh; otherwise please upgrade your Riot deployment as soon as possible. Alpine, Debian and Fedora/RPM packages are already updated – huge thanks to the maintainers for the fast turnaround.

The issue lies in the relatively obscure external_url feature, which lets bridges specify a URL for bridged events, letting Riot/Web users link through to the ‘original’ event (e.g. a twitter URL on a bridged tweet).  The option is hidden in a context menu and labelled “Source URL”, and is only visible on events which have the external_url field set.  Unfortunately Riot/Web didn’t sanitise the URL correctly, allowing a malicious URL to be injected – and this has been the case since the feature landed in Riot 0.9.0 (Nov 2016).

If you’re not able to upgrade to Riot/Web 0.13.5 for some reason, then please do not click on the ‘Source URL’ feature on the event context menu:

Apologies for the inconvenience,

thanks,

Matthew