Security Hall of Fame

Here we maintain a list of security researchers and their findings, to recognize them for having responsibly disclosed security issues to us in the past.

If you think you've found a security issue relating to Matrix software or infrastructure, please see our Security Disclosure Policy on how to report it to us.

2024-05-26 - Matrix React SDK - Charlotte

Found room URL preview settings were controllable by the homeserver.

2024-05-26 - Matrix JS SDK - morguldir

Discovered a way to freeze clients using the Matrix JS SDK by crafting a room with itself as its predecessor (CVE-2024-42369 / GHSA-vhr5-g3pm-49fm).

2024-04-25 - matrix-org/sonarcloud-workflow-action - Johannes Marbach

Identified a method to supply arbitrary parameter to sonar-scanner.

2023-06-20 - Synapse - Alexey Shchepin

Discovered that weakness in auth chain indexing allowed DoS from remote room members through disk fill and high CPU usage (CVE-2024-31208 / GHSA-3h7q-rfh9-xm4v).

2023-07-31 - Sydent - Martin Schobert, Pentagrid AG

Discovered that Sydent would not verify its configured SMTP server's certificates when sending emails using TLS.

2023-05-27 - matrix-media-repo - Josh Qou

Discovered that the download endpoint of the matrix-media-repo was serving unsafe media inline (CVE-2023-41318/ GHSA-5crw-6j7v-xc72).

2023-04-26 - Synapse - Thimothé Maljean

Discovered temporary storage of plaintext passwords during password changes (CVE-2023-41335/ GHSA-4f74-84v3-j9q5).

2023-04-25 - Matrix React SDK - S1m

Discovered an XSS vector for CVE-2023-30609/ GHSA-xv83-x443-7rmw.

2023-04-10 - Matrix React SDK - Cadence Ember

Found an HTML injection via highlighting of search results (CVE-2023-30609/ GHSA-xv83-x443-7rmw).

2023-03-04 - Dendrite - Sleroq

Discovered a DoS attack on Dendrite by sending a specially crafted event, making it spend a lot of CPU.

2023-02-18 - matrix-appservice-irc - Val Lorentz

Discovered a IRC command injection via admin commands (CVE-2023-38690/ GHSA-3pmj-jqqp-2mj3).

2023-02-10 - Synapse - Dirk Klimpel - BWI GmbH

Discovered a deactivated user could still log in in certain situations.

2022-10-18 - matrix.org infrastructure - aoxsin

Discovered that pinecone.matrix.org was exposing pprof.

2022-10-12 - Matrix Public Archive - Dionysis Grigoropoulos

Discovered a reflected and stored XSS in the Matrix Public Archive project. Fixed in commit 12d96ee.

2022-10-08 - matrix.org infrastructure - Dinesh kumar

Reported that grafana.matrix.org metrics were publicly exposed.

2022-09-17 - Element iOS - Josh Enders

Discovered a FaceID bypass in Element iOS. Fixed in Element iOS 1.9.7.

2022-08-23 - Element iOS - Cyastis Volantis

Discovered issue with PIN screen being bypassable by opening the application in landscape mode. Fixed in Element iOS 1.9.1.

2022-06-23 - matrix-appservice-discord - Ethan Reynolds

Discovered a way to crash the bridge by sending a message into a bridged voice room.

2022-06-06 - matrix-appservice-irc - Val Lorentz

Discovered a parsing issue which could lead to channel/room takeovers (CVE-2022-39203, GHSA-xvqg-mv25-rwvw). Fixed in matrix-appservice-irc 0.35.0 (blog post).

2022-05-13 - matrix-appservice-irc - Val Lorentz

Discovered an IRC mode parameter parsing confusion which could lead to wrong modes being applied (CVE-2022-39202, GHSA-cq7q-5c67-w39w). Fixed in matrix-appservice-irc 0.35.0 (blog post).

2022-05-10 - Several Matrix SDKs - Martin R. Albrecht, Sofía Celi, Benjamin Dowling and Daniel Jones

For an excellent analysis exposing several cryptographic implementation vulnerabilities in the first generation Matrix SDKs. See the disclosure blog post and the research paper for details.

2022-05-12 - Element clients - Rex Kim (@rexouflage)

Reported an RTLO injection issue allowing an attacker to construct a link appearing to lead to an URL while actually leading to another. Fixed in Element iOS 1.8.17 and Element Android 1.4.18. Mitigated in Element Desktop 1.11.1 by enabling link tooltips.

2022-05-04 - matrix-appservice-irc / node-irc - Val Lorentz

IRC command injection in the matrix-appservice-irc bridge when replying to a malicious message due to incomplete newline sanitization. Fixed in matrix-appservice-irc 0.33.2 and node-irc 1.2.1. Tracked as GHSA-37hr-348p-rmf4 and GHSA-52rh-5rpj-c3w6.

2022-01-31 - Element Desktop - s1r1us and TheGrandPew

Remotely triggerable host program execution with user interaction, caused by an outdated Electron dependency. Depending on the host environment, full RCE may be possible. Fixed in Element Desktop 1.9.7 and tracked as GHSA-mjrg-9f8r-h3m7 / CVE-2022-23597.

2021-11-18 - libolm - Oliver Behnke

Buffer overflow in olm_session_describe in libolm before version 3.2.8, remotely triggerable from matrix-js-sdk before 15.2.1. Fixed in libolm 3.2.8 and matrix-js-sdk 15.2.1. Assigned CVE-2021-44538.

2021-09-23 - Matrix Static - Pascal "nephele" Abresch

Reported that Matrix Static (used for view.matrix.org) was vulnerable to XSS via room names due to missing sanitization. Fixed in Matrix Static 0.3.1.

2021-09-17 - Element iOS - The UK's National Cyber Security Centre (NCSC)

JavaScript code execution when previewing user file attachments in Element iOS before 1.6.8 on iOS 12 and earlier. Fixed in Element iOS 1.6.8.

2021-08-31 - status.matrix.org - Thomas Chauchefoin (SonarSource)

Discovered status.matrix.org was running a version of Cachet vulnerable to an SQL injection. Since this host was used solely for running the status page, we fixed this by decommissioning it and switching to Atlassian's Statuspage service.

2021-07-03 - Synapse - Aaron Raimist

Discovered that an explicit assignment of power level 0 was misinterpreted as the default power level. Fixed in Synapse v1.40.0.

2021-05-21 - Element Android - Aaron Raimist and an anonymous security researcher

Discovered that Element Android was disclosing the filename of end-to-end encrypted attachments to the homeserver. Fixed in Element Android 1.1.8.

2021-03-01 - Dendrite - Graham Leach-Krouse

Authentication bypass in SQLite deployments. Fixed in Dendrite v0.3.11.

2021-02-16 - Matrix React SDK - Guilherme Keerok

User content sandbox could be tricked into opening arbitrary documents (CVE-2021-21320). Fixed in matrix-react-sdk 3.15.0.

2021-01-18 - Synapse - Michaël Scherer

IP blacklist bypass via transitional IPv6 addresses on dual-stack networks (CVE-2021-21392). Fixed in Synapse 1.28.0.

2021-01-07 - Element iOS - Andrea Spacca

Element iOS crash via an invalid content payload. Fixed in Element iOS 1.1.4.

2020-11-17 - Synapse - Michaël Scherer

Denial of service attack via .well-known lookups (CVE-2021-21274). Fixed in Synapse 1.25.0.

2020-11-17 - Synapse - Michaël Scherer

IP blacklist bypass via redirects on some federation and push requests (CVE-2021-21273). Fixed in Synapse 1.25.0.

2020-09-20 - Synapse - Denis Kasak

HTML injection in login fallback endpoints could be used for a Cross-site-scripting attack (CVE-2020-26891). Fixed in Synapse 1.21.0.

2020-09-09 - New Vector Infrastructure - Pritam Mukherjee

Misconfigured X-Frame in New Vector internal infrastructure could lead to Clickjacking

2020-08-14 - Element - awesome-michael from Awesome Technologies

An issue where encrypted state events could break incoming call handling. Fixed in Element 1.7.5

2020-07-29 - Element - 0x1a8510f2

An issue where Element Android was leaking PII. Fixed in Element Android 1.0.5

2020-07-20 - Element - SakiiR

An issue where an unexpected language ID in a code block could cause Element to crash. Fixed in Element 1.7.3

2020-07-14 - Synapse - Denis Kasak

Invalid JSON could become part of the room state, acting as a denial of service vector (CVE-2020-26890). Fixed in Synapse 1.20.0. Disclosed 2020-11-23.

2020-07-02 - Synapse - Quentin Gliech

A clickjacking vulnerability in the single-sign-on flow in Synapse. Fixed in Synapse 1.15.2.

2020-06-18 - Element - Sorunome

An issue where replying to a specially formatted message would make it seem like the replier said something they did not. Fixed in Element 1.7.3

2020-05-10 - Matrix React SDK - Quentin Gliech

A CSRF attack leading to potential unauthorised access to accounts on servers using single-sign-on flows. Fixed as part of matrix-react-sdk#4685, released in Riot/Web 1.6.3.

2020-05-03 - e2e spec - David Wong

A vulnerability in the SAS verification protocol failing to bind the ephemeral public keys. Fixed in MSC2630, which lists the fixed client versions.

2020-03-03 - Synapse - Rhys Davies

An open redirect vulnerability affecting single sign-on flows. Fixed in Synapse 1.11.1

2019-05-02 - sydent - Enguerran Gillier

HTML injection in email invites. A malicious 3rd party invite could inject unescaped HTML into the email template. Fixed in Sydent 1.0.3

2019-05-02 - synapse - Enguerran Gillier

SSRF in the URL preview API, which did not blacklist access to 0.0.0.0/32 or ::/128 by default. Fixed in Synapse 0.99.3.1

2019-05-02 - synapse - Enguerran Gillier

Insecure pseudo-random number generator in synapse meant that an attacker might be able to predict random values. Fixed in Synapse 0.99.3.1

2019-05-02 - sydent - Enguerran Gillier

Insecure pseudo-random number generator in sydent meant that an attacker could predict authentication tokens. Fixed in Sydent 1.0.3

2019-04-22 - Riot/Android - Julien Thomas from Protektoid Project

Obsolete and buggy ContentProvider in Riot/Android meant that a malicious local app could compromise account data. Mitigated here.

2019-04-20 - Sydent - fs0c131y

Sydent session ids were predictable, meaning it was possible to infer the total number of validations and also check if an address had been validated. Mitigated here.

2019-04-18 - Sydent - fs0c131y

An email validation exploit in Sydent. For more details see here and CVE-2019-11340.

2019-04-09 - Infrastructure - Jaikey Sarraf

Identified a unpatched RCE vulnerability in Matrix.org's public-facing Jenkins. It transpired the vulnerability had been exploited by an attacker.

2018-12-06 - Synapse - Brian Hyde

XSS exploit allowing a malicious SWF uploaded to Riot via Firefox to run arbitrary code in the domain of the content repository. Mitigated here.

2018-02-19 - Matrix React SDK - rugk

Origin check of ScalarMessaging postmessage API was insufficient. Mitigated here.

If you think you should be on the list, apologies if we missed you, please mail us at security@matrix.org.