Wiz
Vulnerability DatabaseCVE-2022-39251

CVE-2022-39251
JavaScript vulnerability analysis and mitigation

Overview

CVE-2022-39251 is a critical severity vulnerability discovered in the Matrix SDK bundled with Thunderbird and other Matrix clients. The vulnerability was discovered by researchers from Royal Holloway University London, University of Sheffield, and Brave Software, and was disclosed on September 28, 2022. The vulnerability affects matrix-js-sdk versions below 19.7.0 and impacts applications using this SDK including Element, Beeper, Cinny, SchildiChat, Circuli, and Synod.im (Matrix Blog).

Technical details

The vulnerability is a protocol confusion bug where the system incorrectly accepts to-device messages encrypted with Megolm instead of Olm, attributing them to the Megolm sender rather than the actual sender. This implementation flaw allows attackers to fake the trusted sender of to-device messages. The vulnerability received a critical severity rating due to its potential impact on message encryption and authentication (GitHub Advisory).

Impact

An attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person without any indication such as a grey shield. Additionally, sophisticated attackers could perform targeted attacks to send fake to-device messages appearing to originate from another user, potentially allowing them to inject key backup secrets during self-verification and make targeted devices use malicious key backups spoofed by the homeserver (GitHub Advisory, Matrix Blog).

Mitigation and workarounds

The vulnerability was patched in matrix-js-sdk version 19.7.0. The fix includes modifications to only accept Olm-encrypted to-device messages and additional security checks: discarding cleartext m.roomkey, m.forwardedroomkey and m.secret.send todevice messages, discarding secrets received from untrusted devices, and ensuring key backups are only usable if they have a valid signature from a trusted device. Users were advised not to verify new logins using emoji/QR verification methods until patched and to prefer verifying with security passphrases (GitHub Advisory).

Additional resources

SourceThis report was generated using AI

Related JavaScript vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-66456CRITICAL9.1
  • JavaScriptJavaScript
  • elysia
NoYesDec 09, 2025
CVE-2025-66457HIGH7.5
  • JavaScriptJavaScript
  • elysia
NoYesDec 09, 2025
CVE-2025-65849MEDIUM6.9
  • JavaScriptJavaScript
  • altcha
NoNoDec 08, 2025
CVE-2025-66202MEDIUM6.5
  • JavaScriptJavaScript
  • astro
NoYesDec 09, 2025
CVE-2025-14284MEDIUM5.1
  • JavaScriptJavaScript
  • @tiptap/extension-link
NoYesDec 09, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo