matrix-appservice-irc events can be crafted to leak parts of targeted messages from other bridged rooms
- Severity:
- Low
Description
It was possible to craft an event such that it would leak part of a targeted message event from another bridged room. This required knowing an event ID to target.
Recommendation
Update the matrix-appservice-irc package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.0.0
- Patched version(s): 1.0.1
References
Related Issues
- Matrix IRC Bridge allows IRC command injection to own puppeted user - CVE-2025-27146
- matrix-appservice-irc IRC command injection via admin commands containing newlines - CVE-2023-38690
- Matrix IRC Bridge truncated content of messages can be leaked - CVE-2024-32000
- angular-server-side-configuration information disclosure vulnerability in monorepo with node.js backend - CVE-2023-28444
- Tags:
- npm
- matrix-appservice-irc
Anything's wrong? Let us know Last updated on November 12, 2023