matrix-appservice-irc IRC command injection via admin commands containing newlines
- Severity:
- Medium
Description
It is possible to craft a command with newlines which would not be properly parsed. This would mean you could pass a string of commands as a channel name, which would then be run by the IRC bridge bot.
Recommendation
Update the matrix-appservice-irc package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.0.0
- Patched version(s): 1.0.1
References
Related Issues
- axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - CVE-2025-27152
- snowflake-sdk may incorrectly validate temporary credential cache file permissions - CVE-2025-24791
- @workos-inc/authkit-remix refresh tokens are logged when the debug flag is enabled - CVE-2024-51753
- @saltcorn/server arbitrary file zip read and download when downloading auto backups - Vulnerability
- Tags:
- npm
- matrix-appservice-irc
Anything's wrong? Let us know Last updated on June 20, 2024