CVE-2022-39250

Matrix JavaScript SDK vulnerable to key/device identifier confusion in SAS verification

Description

Matrix JavaScript SDK is the Matrix Client-Server software development kit (SDK) for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver could interfere with the verification flow between two users, injecting its own cross-signing user identity in place of one of the users’ identities. This would lead to the other device trusting/verifying the user identity under the control of the homeserver instead of the intended one. The vulnerability is a bug in the matrix-js-sdk, caused by checking and signing user identities and devices in two separate steps, and inadequately fixing the keys to be signed between those steps. Even though the attack is partly made possible due to the design decision of treating cross-signing user identities as Matrix devices on the server side (with their device ID set to the public part of the user identity key), no other examined implementations were vulnerable. Starting with version 19.7.0, the matrix-js-sdk has been modified to double check that the key signed is the one that was verified instead of just referencing the key by ID. An additional check has been made to report an error when one of the device ID matches a cross-signing key. As this attack requires coordination between a malicious homeserver and an attacker, those who trust their homeservers do not need a particular workaround.

Category

8.6
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.12%
Vendor Advisory gentoo.org Vendor Advisory matrix.org
Affected: matrix-org matrix-js-sdk
Published at:
Updated at:

References

Link Tags
https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76 third party advisory patch
https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0 third party advisory release notes
https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients vendor advisory
https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-5w8r-8pgj-5jmf third party advisory
https://security.gentoo.org/glsa/202210-35 third party advisory vendor advisory

Frequently Asked Questions

What is the severity of CVE-2022-39250?
CVE-2022-39250 has been scored as a high severity vulnerability.
How to fix CVE-2022-39250?
To fix CVE-2022-39250, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-39250 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-39250 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-39250?
CVE-2022-39250 affects matrix-org matrix-js-sdk.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.