We've released updates to matrix-appservice-irc and our forked node-irc that it depends on to patch a High security vulnerability. It's advised to update to 0.34.0 as soon as possible.

The vulnerability allows an attacker to manipulate a Matrix user into executing IRC commands by having them reply to a maliciously crafted message.

Incorrect handling of a CR character allowed for making part of the message be sent to the IRC server verbatim rather than as a message to the channel.

If you are currently a matrix-appservice-irc user, exercise caution when replying to messages from untrusted participants in IRC bridged rooms until your bridge instance has been upgraded.

The vulnerability has been patched in node-irc version 1.2.1 and matrix-appservice-irc 0.34.0. You can get the release on Github.

The bridges running on the Libera Chat, OFTC and other networks bridged by the Matrix.org Foundation have been patched.

The vulnerabilities are tracked as GHSA-37hr-348p-rmf4 and GHSA-52rh-5rpj-c3w6.

Thank you, Val Lorentz for reporting this vulnerability.

The Foundation needs you

The Matrix.org Foundation is a non-profit and only relies on donations to operate. Its core mission is to maintain the Matrix Specification, but it does much more than that.

It maintains the matrix.org homeserver and hosts several bridges for free. It fights for our collective rights to digital privacy and dignity.

Support us