Today we are announcing security updates for several of our bridges.

In addition we have released matrix-appservice-bridge 9.0.1 (and backported to 8.1.2) which patches GHSA-vc7j-h8xg-fv5x.

All mentioned bridges are affected by a vulnerability in the provisioning interfaces of these bridges. If you are unable to upgrade, please disable provisioning for now (which should be documented in the relevant bridge sample config).

The IRC bridge is also affected by two additional vulnerabilities. In this case, we would recommend upgrading immediately rather than working around the problems.

Disclosures for these vulnerabilities, as well as CVE numbers will be out in three days (Thursday 3rd).

We advise to upgrade as soon as possible.

If you have further questions, please reach out on security@matrix.org

The Foundation needs you

The Matrix.org Foundation is a non-profit and only relies on donations to operate. Its core mission is to maintain the Matrix Specification, but it does much more than that.

It maintains the matrix.org homeserver and hosts several bridges for free. It fights for our collective rights to digital privacy and dignity.

Support us