Headline
CVE-2022-29166: 0.34.0 security release for matrix-appservice-irc (High severity) | Matrix.org
matrix-appservice-irc is a Node.js IRC bridge for Matrix. The vulnerability in node-irc allows an attacker to manipulate a Matrix user into executing IRC commands by having them reply to a maliciously crafted message. The vulnerability has been patched in matrix-appservice-irc 0.33.2. Refrain from replying to messages from untrusted participants in IRC-bridged Matrix rooms. There are no known workarounds for this issue.
We’ve released updates to matrix-appservice-irc and our forked node-irc that it depends on to patch a High security vulnerability. It’s advised to update to 0.34.0 as soon as possible.
The vulnerability allows an attacker to manipulate a Matrix user into executing IRC commands by having them reply to a maliciously crafted message.
Incorrect handling of a CR character allowed for making part of the message be sent to the IRC server verbatim rather than as a message to the channel.
If you are currently a matrix-appservice-irc user, exercise caution when replying to messages from untrusted participants in IRC bridged rooms until your bridge instance has been upgraded.
The vulnerability has been patched in node-irc version 1.2.1 and matrix-appservice-irc 0.34.0. You can get the release on Github.
The bridges running on the Libera Chat, OFTC and other networks bridged by the Matrix.org Foundation have been patched.
The vulnerabilities are tracked as GHSA-37hr-348p-rmf4 and GHSA-52rh-5rpj-c3w6.
Thank you, Val Lorentz for reporting this vulnerability.
Related news
matrix-appservice-irc provides an IRC bridge for Matrix. The vulnerability in node-irc allows an attacker to manipulate a Matrix user into executing IRC commands by having them reply to a maliciously crafted message. The vulnerability has been patched in matrix-appservice-irc 0.33.2. In terms of a workaround, users should refrain from replying to messages from untrusted participants in IRC-bridged Matrix rooms.