CVE-2022-39251: CWE-322: Key Exchange without Entity Authentication in matrix-org matrix-js-sdk
Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. Starting with version 19.7.0, matrix-js-sdk has been modified to only accept Olm-encrypted to-device messages. Out of caution, several other checks have been audited or added. This attack requires coordination between a malicious home server and an attacker, so those who trust their home servers do not need a workaround.
AI Analysis
Technical Summary
CVE-2022-39251 is a vulnerability in the matrix-js-sdk, a JavaScript client-server SDK used for the Matrix protocol, which is an open standard for decentralized communication. The vulnerability exists in versions prior to 19.7.0 and stems from a protocol confusion issue where to-device messages encrypted with the Megolm encryption scheme are accepted instead of only those encrypted with Olm. Megolm is designed for group messaging, while Olm is intended for one-to-one encrypted communication. This flaw allows a malicious homeserver, in cooperation with an attacker, to craft messages that appear to originate from another user without any visual indication such as a grey shield, which normally signals untrusted messages. This can lead to impersonation attacks where messages or commands are spoofed as coming from legitimate users. More critically, an attacker can inject malicious key backup secrets during self-verification processes, causing targeted devices to use attacker-controlled key backups. This undermines the integrity and confidentiality of encrypted communications and key management. The root cause is a lack of entity authentication during key exchange, violating CWE-322, and improper authentication (CWE-287). The vulnerability requires a malicious or compromised homeserver, meaning that users who trust their homeserver are not at risk. The issue was addressed in version 19.7.0 by restricting accepted to-device messages to those encrypted with Olm only and adding additional checks to prevent protocol confusion. There are no known exploits in the wild, and no CVSS score has been assigned to this vulnerability.
Potential Impact
For European organizations using Matrix-based communication platforms that rely on matrix-js-sdk versions prior to 19.7.0, this vulnerability poses a significant risk to the confidentiality and integrity of their communications. An attacker controlling or cooperating with a malicious homeserver can impersonate users, inject malicious messages, and manipulate key backup secrets, potentially leading to unauthorized access to encrypted conversations and sensitive data. This could facilitate espionage, data leakage, or disruption of secure communications. The impact is particularly critical for organizations handling sensitive or regulated information, such as government agencies, financial institutions, healthcare providers, and critical infrastructure operators. Since the attack requires a malicious homeserver, organizations using self-hosted or trusted homeservers are less exposed, but those relying on third-party or less trusted homeservers face higher risks. The vulnerability could also undermine trust in decentralized communication systems, impacting collaboration and information sharing. Availability is less affected, as the attack focuses on message spoofing and key manipulation rather than denial of service. However, the integrity and confidentiality breaches could have cascading effects on operational security and compliance with data protection regulations such as GDPR.
Mitigation Recommendations
1. Upgrade matrix-js-sdk to version 19.7.0 or later immediately to ensure the acceptance of only Olm-encrypted to-device messages and benefit from additional security checks. 2. Audit and verify the trustworthiness of homeservers used within the organization’s Matrix network; prefer self-hosted or well-vetted homeservers to reduce exposure to malicious server operators. 3. Implement monitoring and alerting for unusual to-device message patterns or unexpected key backup changes that could indicate exploitation attempts. 4. Educate users about the importance of verifying device keys and recognizing security indicators within Matrix clients, even though this vulnerability may bypass some visual cues. 5. For organizations providing Matrix services, enforce strict server-side validation and authentication mechanisms to prevent protocol confusion and message spoofing. 6. Conduct regular security assessments and penetration testing focused on the Matrix communication infrastructure to detect potential weaknesses or misconfigurations. 7. Maintain up-to-date incident response plans that include scenarios involving compromised communication channels and key management attacks.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Estonia
CVE-2022-39251: CWE-322: Key Exchange without Entity Authentication in matrix-org matrix-js-sdk
Description
Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. Starting with version 19.7.0, matrix-js-sdk has been modified to only accept Olm-encrypted to-device messages. Out of caution, several other checks have been audited or added. This attack requires coordination between a malicious home server and an attacker, so those who trust their home servers do not need a workaround.
AI-Powered Analysis
Technical Analysis
CVE-2022-39251 is a vulnerability in the matrix-js-sdk, a JavaScript client-server SDK used for the Matrix protocol, which is an open standard for decentralized communication. The vulnerability exists in versions prior to 19.7.0 and stems from a protocol confusion issue where to-device messages encrypted with the Megolm encryption scheme are accepted instead of only those encrypted with Olm. Megolm is designed for group messaging, while Olm is intended for one-to-one encrypted communication. This flaw allows a malicious homeserver, in cooperation with an attacker, to craft messages that appear to originate from another user without any visual indication such as a grey shield, which normally signals untrusted messages. This can lead to impersonation attacks where messages or commands are spoofed as coming from legitimate users. More critically, an attacker can inject malicious key backup secrets during self-verification processes, causing targeted devices to use attacker-controlled key backups. This undermines the integrity and confidentiality of encrypted communications and key management. The root cause is a lack of entity authentication during key exchange, violating CWE-322, and improper authentication (CWE-287). The vulnerability requires a malicious or compromised homeserver, meaning that users who trust their homeserver are not at risk. The issue was addressed in version 19.7.0 by restricting accepted to-device messages to those encrypted with Olm only and adding additional checks to prevent protocol confusion. There are no known exploits in the wild, and no CVSS score has been assigned to this vulnerability.
Potential Impact
For European organizations using Matrix-based communication platforms that rely on matrix-js-sdk versions prior to 19.7.0, this vulnerability poses a significant risk to the confidentiality and integrity of their communications. An attacker controlling or cooperating with a malicious homeserver can impersonate users, inject malicious messages, and manipulate key backup secrets, potentially leading to unauthorized access to encrypted conversations and sensitive data. This could facilitate espionage, data leakage, or disruption of secure communications. The impact is particularly critical for organizations handling sensitive or regulated information, such as government agencies, financial institutions, healthcare providers, and critical infrastructure operators. Since the attack requires a malicious homeserver, organizations using self-hosted or trusted homeservers are less exposed, but those relying on third-party or less trusted homeservers face higher risks. The vulnerability could also undermine trust in decentralized communication systems, impacting collaboration and information sharing. Availability is less affected, as the attack focuses on message spoofing and key manipulation rather than denial of service. However, the integrity and confidentiality breaches could have cascading effects on operational security and compliance with data protection regulations such as GDPR.
Mitigation Recommendations
1. Upgrade matrix-js-sdk to version 19.7.0 or later immediately to ensure the acceptance of only Olm-encrypted to-device messages and benefit from additional security checks. 2. Audit and verify the trustworthiness of homeservers used within the organization’s Matrix network; prefer self-hosted or well-vetted homeservers to reduce exposure to malicious server operators. 3. Implement monitoring and alerting for unusual to-device message patterns or unexpected key backup changes that could indicate exploitation attempts. 4. Educate users about the importance of verifying device keys and recognizing security indicators within Matrix clients, even though this vulnerability may bypass some visual cues. 5. For organizations providing Matrix services, enforce strict server-side validation and authentication mechanisms to prevent protocol confusion and message spoofing. 6. Conduct regular security assessments and penetration testing focused on the Matrix communication infrastructure to detect potential weaknesses or misconfigurations. 7. Maintain up-to-date incident response plans that include scenarios involving compromised communication channels and key management attacks.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-09-02T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9845c4522896dcbf44a0
Added to database: 5/21/2025, 9:09:25 AM
Last enriched: 6/22/2025, 4:52:53 PM
Last updated: 8/5/2025, 11:51:30 AM
Views: 13
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.