Description
matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to version 1.0.1, it was possible to craft an event such that it would leak part of a targeted message event from another bridged room. This required knowing an event ID to target. Version 1.0.1n fixes this issue. As a workaround, set the `matrixHandler.eventCacheSize` config value to `0`. This workaround may impact performance.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/matrix-org/matrix-appservice-irc/security/advisories/GHSA-c7hh-3v6c-fj4q
Patch x_refsource_misc
https://github.com/matrix-org/matrix-appservice-irc/commit/8bbd2b69a16cbcbeffdd9b5c973fd89d61498d75
Release Notes x_refsource_misc
https://github.com/matrix-org/matrix-appservice-irc/releases/tag/1.0.1
Scores
CVSS v3
3.5
EPSS
0.0033
EPSS Percentile
56.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (2)
matrix/matrix_irc_bridge
< 1.0.1
npm/matrix-appservice-irc
0 - 1.0.1npm
Published
Aug 04, 2023
Tracked Since
Feb 18, 2026