Security Hall of Fame
Here we maintain a list of security researchers and their findings, to recognize them for having responsibly disclosed security issues to us in the past.
If you think you've found a security issue relating to Matrix software or infrastructure, please see our Security Disclosure Policy on how to report it to us.
2022-10-18 - matrix.org infrastructure - aoxsin Discovered that pinecone.matrix.org was exposing pprof.
Discovered a reflected and stored XSS in the Matrix Public Archive project. Fixed in
commit 12d96ee.
Reported that grafana.matrix.org metrics were publicly exposed.
Discovered issue with PIN screen being bypassable by opening the application in landscape mode. Fixed in
Element iOS 1.9.1.
For an excellent analysis exposing several cryptographic implementation vulnerabilities in the first generation Matrix SDKs. See the
disclosure blog post and the
research paper for details.
Reported an RTLO injection issue allowing an attacker to construct a link appearing to lead to an URL while actually leading to another. Fixed in Element iOS
1.8.17 and Element Android
1.4.18. Mitigated in
Element Desktop 1.11.1 by enabling link tooltips.
2022-05-04 - matrix-appservice-irc / node-irc - Val Lorentz IRC command injection in the matrix-appservice-irc bridge when replying to a malicious message due to incomplete newline sanitization. Fixed in matrix-appservice-irc 0.33.2 and node-irc 1.2.1. Tracked as
GHSA-37hr-348p-rmf4 and
GHSA-52rh-5rpj-c3w6.
Remotely triggerable host program execution with user interaction, caused by an outdated Electron dependency. Depending on the host environment, full RCE may be possible. Fixed in Element Desktop 1.9.7 and tracked as
GHSA-mjrg-9f8r-h3m7 /
CVE-2022-23597.
Buffer overflow in olm_session_describe in libolm before version 3.2.8, remotely triggerable from matrix-js-sdk before 15.2.1. Fixed in libolm 3.2.8 and matrix-js-sdk 15.2.1. Assigned
CVE-2021-44538.
Reported that Matrix Static (used for view.matrix.org) was vulnerable to XSS via room names due to missing sanitization. Fixed in
Matrix Static 0.3.1.
JavaScript code execution when previewing user file attachments in Element iOS before 1.6.8 on iOS 12 and earlier. Fixed in Element iOS 1.6.8.
Discovered status.matrix.org was running a version of Cachet vulnerable to an
SQL injection. Since this host was used solely for running the status page, we fixed this by decommissioning it and switching to Atlassian's Statuspage service.
Discovered that an explicit assignment of power level 0 was misinterpreted as the default power level. Fixed in Synapse v1.40.0.
Discovered that Element Android was disclosing the filename of end-to-end encrypted attachments to the homeserver. Fixed in Element Android 1.1.8.
IP blacklist bypass via transitional IPv6 addresses on dual-stack networks (
CVE-2021-21392). Fixed in Synapse 1.28.0.
Element iOS crash via an invalid content payload. Fixed in Element iOS 1.1.4.
Denial of service attack via .well-known lookups (
CVE-2021-21274). Fixed in Synapse 1.25.0.
IP blacklist bypass via redirects on some federation and push requests (
CVE-2021-21273). Fixed in Synapse 1.25.0.
HTML injection in login fallback endpoints could be used for a Cross-site-scripting attack (
CVE-2020-26891). Fixed in Synapse 1.21.0.
Misconfigured X-Frame in New Vector internal infrastructure could lead to Clickjacking
An issue where encrypted state events could break incoming call handling. Fixed in
Element 1.7.5An issue where an unexpected language ID in a code block could cause Element to crash. Fixed in
Element 1.7.3Invalid JSON could become part of the room state, acting as a denial of service vector (
CVE-2020-26890). Fixed in Synapse 1.20.0. Disclosed 2020-11-23.
A clickjacking vulnerability in the single-sign-on flow in Synapse. Fixed in
Synapse 1.15.2.
An issue where replying to a specially formatted message would make it seem like the replier said something they did not. Fixed in
Element 1.7.3A CSRF attack leading to potential unauthorised access to accounts on servers using single-sign-on flows. Fixed as part of
matrix-react-sdk#4685, released in Riot/Web 1.6.3.
A vulnerability in the SAS verification protocol failing to bind the ephemeral public keys. Fixed in
MSC2630, which lists the fixed client versions.
An open redirect vulnerability affecting single sign-on flows. Fixed in Synapse 1.11.1
HTML injection in email invites. A malicious 3rd party invite could inject unescaped HTML into the email template. Fixed in Sydent 1.0.3
SSRF in the URL preview API, which did not blacklist access to 0.0.0.0/32 or ::/128 by default. Fixed in Synapse 0.99.3.1
Insecure pseudo-random number generator in synapse meant that an attacker might be able to predict random values. Fixed in Synapse 0.99.3.1
Insecure pseudo-random number generator in sydent meant that an attacker could predict authentication tokens. Fixed in Sydent 1.0.3
Obsolete and buggy ContentProvider in Riot/Android meant that a malicious local app could compromise account data. Mitigated
here.
Sydent sesssion ids were predictable, meaning it was possible to infer the total number of validations and also check if an address had been validated. Mitigated
here.Identified a unpatched RCE vulnerability in Matrix.org's public-facing Jenkins. It transpired the vulnerability had been
exploited by an attacker.
XSS exploit allowing a malicious SWF uploaded to Riot via Firefox to run arbitrary code in the domain of the content repository. Mitigated
here.2018-02-19 - Matrix React SDK - rugk Origin check of ScalarMessaging postmessage API was insufficient. Mitigated
here.
If you think you should be on the list, apologies if we missed you, please mail us at [email protected].