In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the
Object.prototype, disrupting matrix-js-sdk functionality, causing denial of service and potentially affecting program logic.
(This is part 2, where CVE-2022-36059 / GHSA-rfv9-x7hh-xc32 is part 1. Part 2 covers remaining vectors not covered by part 1, found in a codebase audit scheduled after part 1.)
The issue has been patched in matrix-js-sdk 24.0.0.
If you have any questions or comments about this advisory please email us at security at matrix.org.