Skip to content

Improper handling of multiline messages in node-irc

High severity GitHub Reviewed Published May 4, 2022 in matrix-org/node-irc • Updated Jan 9, 2023

Package

npm matrix-org-irc (npm)

Affected versions

<= 1.2.0

Patched versions

1.2.1

Description

node-irc is a socket wrapper for the IRC protocol that extends Node.js' EventEmitter. The vulnerability allows an attacker to manipulate a Matrix user into executing IRC commands by having them reply to a maliciously crafted message. Incorrect handling of a CR character allowed for making part of the message be sent to the IRC server verbatim rather than as a message to the channel.
The vulnerability has been patched in node-irc version 1.2.1.

References

@dkasak dkasak published to matrix-org/node-irc May 4, 2022
Published to the GitHub Advisory Database May 5, 2022
Reviewed May 5, 2022
Last updated Jan 9, 2023

Severity

High

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-52rh-5rpj-c3w6

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.