CVE-2023-28103: 
JavaScript vulnerability analysis and mitigation

matrix-react-sdk, a Matrix chat protocol SDK for React Javascript, was found to contain a high-severity vulnerability (CVE-2023-28103) discovered and disclosed on March 28, 2023. The vulnerability affects versions prior to 3.69.0, where specially crafted data sent by remote servers containing specific strings in key locations could cause modifications of the Object.prototype (Matrix Blog, GitHub Advisory).

The vulnerability is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes - 'Prototype Pollution'). It received a CVSS v3.1 Base Score of 8.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H. This represents the second part of a broader security issue, where the first part was addressed under CVE-2022-36060 (NVD, GitHub Advisory).

The vulnerability could disrupt matrix-react-sdk functionality, causing denial of service and potentially affecting program logic. While the demonstrated impact primarily showed denial-of-service effects, the extensive attack surface meant that more severe impacts could not be completely ruled out, leading to its classification as a high-severity vulnerability (Matrix Blog).

The vulnerability was patched in matrix-react-sdk version 3.69.0. No workarounds are available for this vulnerability, and users are strongly advised to upgrade to the patched version (GitHub Advisory).