CVE-2023-28427: 
JavaScript vulnerability analysis and mitigation

The vulnerability (CVE-2023-28427) affects matrix-js-sdk, a Matrix messaging protocol Client-Server SDK for JavaScript, in versions prior to 24.0.0. The vulnerability was discovered by the Matrix Security Team and disclosed on March 28, 2023. The issue affects systems using the matrix-js-sdk library, including applications like Thunderbird that bundle the Matrix SDK (Matrix Blog, Mozilla Advisory).

The vulnerability involves prototype pollution through events containing special strings in key locations, which can temporarily disrupt the normal functioning of matrix-js-sdk. The issue has been assigned a CVSS v3.1 base score of 8.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H. The vulnerability is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) (GitHub Advisory, NVD).

The vulnerability can cause the matrix-js-sdk to malfunction, potentially impacting the consumer's ability to process data safely. While the primary demonstrated impact is denial-of-service, the extensive attack surface means more severe impacts cannot be completely ruled out. The SDK may appear to be operating normally but could be excluding or corrupting runtime data presented to the consumer (Matrix Blog, GitHub Advisory).

The vulnerability has been patched in matrix-js-sdk version 24.0.0. There are no known workarounds for this vulnerability, and users are strongly advised to upgrade to the patched version (GitHub Advisory).

The vulnerability has received attention from major Linux distributions and software vendors. Debian, Red Hat, and Gentoo have issued security advisories and patches for affected packages, particularly focusing on Thunderbird which bundles the affected SDK (Debian Advisory, Red Hat Advisory, Gentoo Advisory).