In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the
Object.prototype, disrupting matrix-react-sdk functionality, causing denial of service and potentially affecting program logic.
(This is part 2, where CVE-2022-36060 / GHSA-2x9c-qwgf-94xr is part 1. Part 2 covers remaining vectors not covered by part 1, found in a codebase audit scheduled after part 1.)
This is fixed in matrix-react-sdk 3.69.0
If you have any questions or comments about this advisory please email us at security at matrix.org.