CVE-2023-29529: 
JavaScript vulnerability analysis and mitigation

An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. The vulnerability (CVE-2023-29529) affects matrix-js-sdk versions prior to 24.1.0. The issue was discovered and disclosed in April 2023, affecting the Matrix Client-Server SDK for JavaScript and TypeScript (Matrix Advisory).

The vulnerability occurs because matrix-js-sdk's group call implementation accepts incoming direct calls from other users, even if they have not yet declared intent to participate in the group call. This was implemented as a means of resolving a race condition in call setup. The affected versions do not restrict access to the user's outbound media in this case. The vulnerability has been assigned a CVSS v3.1 base score of 5.0 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N (Matrix Advisory).

When exploited, the vulnerability allows an attacker to eavesdrop on the video and audio of participants in a group call without their knowledge. To affected matrix-js-sdk users, the attacker will not appear to be participating in the call. Legacy 1:1 calls are unaffected by this vulnerability (Matrix Advisory).

The vulnerability has been fixed in matrix-js-sdk version 24.1.0. As a workaround, users may hold group calls in private rooms where only the exact users who are expected to participate in the call are present (Matrix Advisory, Release Notes).