CVE-2025-59160

Matrix JavaScript SDK is a Matrix Client-Server SDK for JavaScript and TypeScript. matrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in MatrixClient::getJoinedRooms, allowing a remote attacker to attempt to replace a tombstoned room with an unrelated attacker-supplied room. The issue has been patched and users should upgrade to 38.2.0. A workaround is to avoid using MatrixClient::getJoinedRooms in favor of getRooms() and filtering upgraded rooms separately.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59160.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-345"
    ]
}

References

Affected packages

Git / github.com/matrix-org/matrix-js-sdk

Affected ranges

Type: GIT
Repo: https://github.com/matrix-org/matrix-js-sdk
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

4a9006aea68f9d4d7fad3965e754e89b03fb286f

Affected versions

Other

no-media-devices-release

v0.*

v0.1.0

v0.1.1

v0.10.2

v0.10.2-rc.1

v0.10.3

v0.10.3-rc.1

v0.10.5

v0.10.5-rc.1

v0.10.7

v0.10.7-rc.1

v0.11.0

v0.11.0-rc.1

v0.2.0

v0.2.1

v0.2.2

v0.4.1

v0.4.2

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.5.4

v0.5.5

v0.5.6

v0.6.0-rc1

v0.6.0-rc2

v0.6.1

v0.6.2

v0.6.4

v0.6.4-rc.2

v0.7.1-rc.1

v0.7.10

v0.7.2

v0.7.4

v0.7.4-rc.1

v0.7.9

v0.8.0

v0.8.1

v0.8.1-rc.1

v0.8.2

v0.8.3

v0.8.3-rc.1

v1.*

v1.0.0

v1.0.0-rc.1

v1.0.0-rc.2

v2.*

v2.0.1

v2.0.1-rc.1

v2.0.1-rc.2

v2.4.1

v26.*

v26.1.0-patch.1

v26.2.0-no-media-devices-hotfix

v30.*

v30.1.0-rc.0

v30.1.0-rc.1

v30.2.0-rc.0

v31.*

v31.2.0-rc.0

v34.*

v34.2.0

v38.*

v38.0.0-rc.1

v38.1.0

v38.1.0-rc.0

v5.*

v5.0.1

v7.*

v7.1.0

v7.1.0-rc.1

v8.*

v8.0.0

v8.1.0

v8.1.0-rc.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59160.json"