CVE-2022-39236

Name: CVE-2022-39236
Creator: NVD / NIST
Published: 2022-09-28T17:15:11.133+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.3/10EPSS 0.99%

Last modified Jun 17, 2026

CVE-2022-39236 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. EPSS estimates a 0.99% chance of exploitation in the next 30 days.

Description

Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue.

Metrics

CVSS 3.1

5.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Probability

0.99%

58.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-20

Affected Software

Vendor	Product	Versions	Update
Matrix	Javascript Sdk	>= 17.1.0, < 19.7.0	—
Matrix	Javascript Sdk	17.1.0	Rc1

References

https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76Patch, Third Party Advisory
https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0Release Notes, Third Party Advisory
https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45xThird Party Advisory
https://github.com/matrix-org/matrix-spec-proposals/pull/3488Patch, Third Party Advisory
https://security.gentoo.org/glsa/202210-35Third Party Advisory
https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76Patch, Third Party Advisory
https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0Release Notes, Third Party Advisory
https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45xThird Party Advisory
https://github.com/matrix-org/matrix-spec-proposals/pull/3488Patch, Third Party Advisory
https://security.gentoo.org/glsa/202210-35Third Party Advisory

Timeline

Published: Sep 28, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-39236?

How severe is CVE-2022-39236?

CVE-2022-39236 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 0.99% probability of exploitation in the next 30 days.

How do I fix CVE-2022-39236?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-39236?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST