CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-23197 – matrix-hookshot has a Potential Denial of Service when Hookshot is configured with GitHub support
https://notcve.org/view.php?id=CVE-2025-23197
27 Jan 2025 — matrix-hookshot is a Matrix bot for connecting to external services like GitHub, GitLab, JIRA, and more. When Hookshot 6 version 6.0.1 or below, or Hookshot 5 version 5.4.1 or below, is configured with GitHub support, it is vulnerable to a Denial of Service (DoS) whereby it can crash on restart due to a missing check. The impact is greater to you untrusted users can add their own GitHub organizations to Hookshot in order to connect their room to a repository. This vulnerability is fixed in 6.0.2 and 5.4.2. • https://github.com/matrix-org/matrix-hookshot/commit/e51d8210233ac759e7f7dfebc2c4f1bf6ce94802 • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43656 – Sandbox escape for instances that have enabled transformation functions in matrix-hookshot
https://notcve.org/view.php?id=CVE-2023-43656
27 Sep 2023 — matrix-hookshot is a Matrix bot for connecting to external services like GitHub, GitLab, JIRA, and more. Instances that have enabled transformation functions (those that have `generic.allowJsTransformationFunctions` in their config), may be vulnerable to an attack where it is possible to break out of the `vm2` sandbox and as a result Hookshot will be vulnerable to this. This problem is only likely to affect users who have allowed untrusted users to apply their own transformation functions. If you have only ... • https://github.com/matrix-org/matrix-hookshot/commit/dc126afa6af86d66aefcd23a825326f405bcc894 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •