Mozilla Foundation Security Advisory 2024-69

Security Vulnerabilities fixed in Thunderbird 128.5.2

Announced

December 10, 2024

Impact

moderate

Products

Thunderbird

Fixed in

Thunderbird 128.5.2

#CVE-2024-50336: matrix-js-sdk has insufficient MXC URI validation which could allow client-side path traversal

Reporter: Patrick Cloke
Impact: moderate

Description

The Matrix specification demands homeservers to perform validation of the server-name and media-id components of MXC URIs with the intent to prevent path traversal. However, it is not mentioned that a similar check must also be performed on the client to prevent client-side path traversal. matrix-js-sdk fails to perform this validation.

References

Bug 1929264

Firefox for Desktop

Firefox for iOS

Firefox for Android

Firefox Focus

Firefox blog

Mozilla VPN

Mozilla Monitor

Firefox Relay

Pocket

MDN Plus

Fakespot

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Innovation Projects

Blog

Mozilla Foundation

Mozilla.ai

Mozilla Ventures

Mozilla Advertising