Improper handling of multiline messages in node-irc affects matrix-appservice-irc
- Severity:
- High
Description
matrix-appservice-irc provides an IRC bridge for Matrix. The vulnerability in node-irc allows an attacker to manipulate a Matrix user into executing IRC commands by having them reply to a maliciously crafted message. The vulnerability has been patched in matrix-appservice-irc 0.33.2.
Recommendation
Update the matrix-appservice-irc package to the latest compatible version. Followings are version details:
- Affected version(s): <= 0.33.1
- Patched version(s): 0.33.2
References
Related Issues
- Matrix-appservice-irc vulnerable to sql injection via roomIds argument - CVE-2022-3971
- matrix-appservice-irc vulnerable to IRC mode parameter confusion - CVE-2022-39202
- matrix-appservice-irc events can be crafted to leak parts of targeted messages from other bridged rooms - CVE-2023-38700
- Parsing issue in matrix-org/node-irc leading to room takeovers - CVE-2022-39203
- Tags:
- npm
- matrix-appservice-irc
Anything's wrong? Let us know Last updated on January 27, 2023