Impact
If a bridge has room upgrade handling turned on in the configuration (the roomUpgradeOpts key when instantiating a new Bridge instance.), any m.room.tombstone event it encounters will be used to unbridge the current room and bridge into the target room. However, the target room m.room.create event is not checked to verify if the predecessor field contains the previous room. This means that any mailcious admin of a bridged room can repoint the traffic to a different room without the new room being aware.
Patches
Versions 2.6.1 and greater are patched.
Workarounds
Disabling the automatic room upgrade handling can be done by removing the roomUpgradeOpts key from the Bridge class options.
References
The issue is patched by #330
For more information]
If you have any questions or comments about this advisory, email us at security@matrix.org.
Impact
If a bridge has room upgrade handling turned on in the configuration (the
roomUpgradeOptskey when instantiating a newBridgeinstance.), anym.room.tombstoneevent it encounters will be used to unbridge the current room and bridge into the target room. However, the target roomm.room.createevent is not checked to verify if thepredecessorfield contains the previous room. This means that any mailcious admin of a bridged room can repoint the traffic to a different room without the new room being aware.Patches
Versions 2.6.1 and greater are patched.
Workarounds
Disabling the automatic room upgrade handling can be done by removing the
roomUpgradeOptskey from theBridgeclass options.References
The issue is patched by #330
For more information]
If you have any questions or comments about this advisory, email us at security@matrix.org.