N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-52rh-5rpj-c3w6

EPSS Score

CWE

Published

5/5/2022

Updated

1/9/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-52rh-5rpj-c3w6

GHSA-52rh-5rpj-c3w6: Improper handling of multiline messages in node-irc

node-irc is a socket wrapper for the IRC protocol that extends Node.js' EventEmitter. The vulnerability allows an attacker to manipulate a Matrix user into executing IRC commands by having them reply to a maliciously crafted message. Incorrect handling of a CR character allowed for making part of the message be sent to the IRC server verbatim rather than as a message to the channel. The vulnerability has been patched in node-irc version 1.2.1.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-52rh-5rpj-c3w6

EPSS Score

CWE

Published

5/5/2022

Updated

1/9/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
matrix-org-irc	npm	<= 1.2.0	1.2.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper handling of CR characters in message splitting. The original action method (Client.action) directly used text.split(/\r?\n/), which didn't split on standalone CR (\r). The _splitMessage function was also vulnerable due to the same flawed regex. The patch introduced proper splitting logic in _splitMessage (using /\r\n|\r|\n/) and reused it in Client.action, confirming both functions were involved in the vulnerability. The CR handling failure allowed command injection via unprocessed carriage returns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

no**-ir* is * so*k*t wr*pp*r *or t** IR* proto*ol t**t *xt*n*s No**.js' *v*nt*mitt*r. T** vuln*r**ility *llows *n *tt**k*r to m*nipul*t* * M*trix us*r into *x**utin* IR* *omm*n*s *y **vin* t**m r*ply to * m*li*iously *r**t** m*ss***. In*orr**t **n*li

Reasoning

T** vuln*r**ility st*mm** *rom improp*r **n*lin* o* *R ***r**t*rs in m*ss*** splittin*. T** ori*in*l **tion m*t*o* (*li*nt.**tion) *ir**tly us** t*xt.split(/\r?\n/), w*i** *i*n't split on st*n**lon* *R (\r). T** _splitM*ss*** *un*tion w*s *lso vuln*r

N/A

Basic Information

Concerned about an active attack path?

GHSA-52rh-5rpj-c3w6: Improper handling of multiline messages in node-irc

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI