Description
IRC allows you to specify multiple modes in a single mode command. Due to a bug in the underlying matrix-org/node-irc library, affected versions of matrix-appservice-irc perform parsing of such modes incorrectly, potentially resulting in the wrong user being given permissions.
Recommendation
Update the matrix-appservice-irc package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.35.0
- Patched version(s): 0.35.0
References
Related Issues
- Server secret was included in static assets and served to clients - Vulnerability
- Trix allows Cross-site Scripting via `javascript:` url in a link - CVE-2025-21610
- @sveltejs/kit has unescaped error message included on error page - CVE-2024-53262
- CommonRegexJS Regular Expression Denial of Service vulnerability - CVE-2020-26305
- Tags:
- npm
- matrix-appservice-irc
Anything's wrong? Let us know Last updated on January 29, 2023