Impact
matrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in MatrixClient::getJoinedRooms, allowing a remote attacker to attempt to replace a tombstoned room with an unrelated attacker-supplied room.
Patches
The issue has been patched and users should upgrade to 38.2.0.
Workarounds
Avoid using MatrixClient::getJoinedRooms in favour of getRooms() and filtering upgraded rooms separately.
Impact
matrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in
MatrixClient::getJoinedRooms, allowing a remote attacker to attempt to replace a tombstoned room with an unrelated attacker-supplied room.Patches
The issue has been patched and users should upgrade to 38.2.0.
Workarounds
Avoid using
MatrixClient::getJoinedRoomsin favour ofgetRooms()and filtering upgraded rooms separately.