Improper handling of multiline messages in matrix-appservice-irc
Description
matrix-appservice-irc is a Node.js IRC bridge for Matrix. The vulnerability in node-irc allows an attacker to manipulate a Matrix user into executing IRC commands by having them reply to a maliciously crafted message. The vulnerability has been patched in matrix-appservice-irc 0.33.2. Refrain from replying to messages from untrusted participants in IRC-bridged Matrix rooms. There are no known workarounds for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Matrix appservice-IRC's improper CR character handling lets attackers trick users into executing arbitrary IRC commands via crafted messages.
Vulnerability
matrix-appservice-irc, a Node.js IRC bridge for Matrix, and its dependency node-irc improperly handle carriage return (CR) characters in messages. An attacker can craft a message that, when replied to by a Matrix user, causes part of the reply to be interpreted as IRC protocol commands rather than a plain channel message. The vulnerable versions are matrix-appservice-irc before 0.33.2 (or before 0.34.0) and node-irc before 1.2.1 [1][2][4].
Exploitation
The attacker must be a participant in an IRC-bridged Matrix room and send a maliciously crafted message containing a CR character. The victim, a Matrix user, must reply to that message. The bridge incorrectly handles the CR, sending part of the reply verbatim to the IRC server as raw data, which is interpreted as IRC commands [1][2]. No authentication bypass or special network position is required beyond access to the bridged room.
Impact
A successful attack allows the attacker to execute arbitrary IRC commands on behalf of the victim's IRC user. This can result in information disclosure (e.g., listing channels, querying users), sending messages, or performing actions the victim's IRC client is authorized to do, up to the privileges of the victim's IRC connection [1][2].
Mitigation
The vulnerability is fixed in matrix-appservice-irc versions 0.33.2 and 0.34.0, and in node-irc version 1.2.1. Administrators should update their bridge instances immediately. Users should refrain from replying to messages from untrusted participants in IRC-bridged Matrix rooms until the upgrade is applied. The Matrix.org Foundation has patched its official bridges [1][2][4]. No workaround is available for unpatched versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
matrix-appservice-ircnpm | < 0.33.2 | 0.33.2 |
Affected products
2- matrix-org/matrix-appservice-ircv5Range: < 0.34.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-37hr-348p-rmf4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-29166ghsaADVISORY
- github.com/matrix-org/matrix-appservice-irc/security/advisories/GHSA-37hr-348p-rmf4ghsax_refsource_CONFIRMWEB
- github.com/matrix-org/node-irc/security/advisories/GHSA-52rh-5rpj-c3w6ghsaWEB
- matrix.org/blog/2022/05/04/0-34-0-security-release-for-matrix-appservice-irc-high-severityghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.