IRC mode parameter confusion in matrix-appservice-irc
Description
matrix-appservice-irc is an open source Node.js IRC bridge for Matrix. The Internet Relay Chat (IRC) protocol allows you to specify multiple modes in a single mode command. Due to a bug in the underlying matrix-org/node-irc library, affected versions of matrix-appservice-irc perform parsing of such modes incorrectly, potentially resulting in the wrong user being given permissions. Mode commands can only be executed by privileged users, so this can only be abused if an operator is tricked into running the command on behalf of an attacker. The vulnerability has been patched in matrix-appservice-irc 0.35.0. As a workaround users should refrain from entering mode commands suggested by untrusted users. Avoid using multiple modes in a single command.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A mode parser bug in matrix-appservice-irc allows an operator tricked into issuing a multi-mode command to grant unintended privileges, patched in 0.35.0.
CVE-2022-39202 is a vulnerability in the matrix-appservice-irc bridge, which connects Matrix chat to IRC networks. The root cause is a parsing error in the underlying matrix-org/node-irc library when handling IRC mode commands that specify multiple modes in a single command. This bug leads to incorrect mode target assignment, potentially granting permissions to a different user than intended [1][4].
Exploitation
Exploitation requires a privileged IRC operator to be tricked into executing a crafted multi-mode command provided by an attacker. The attack relies on social engineering rather than direct network access, as mode commands are restricted to operators [1][4].
Impact
An attacker who successfully tricks an operator can cause the wrong user to receive channel privileges, such as operator status, effectively allowing a room takeover. The vulnerability is rated HIGH severity (CVSS 7.5) and is tracked as GHSA-xvqg-mv25-rwvw [2].
Mitigation
The vulnerability is patched in matrix-appservice-irc version 0.35.0 and the node-irc library version 1.3.0. Operators should upgrade immediately. As a workaround, users should avoid executing mode commands suggested by untrusted individuals and refrain from using multiple modes in a single command [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
matrix-appservice-ircnpm | < 0.35.0 | 0.35.0 |
Affected products
2- matrix-org/matrix-appservice-ircv5Range: < 0.35.0
Patches
15f87dbed87b4Merge pull request from GHSA-37hr-348p-rmf4
2 files changed · +11 −11
package.json+2 −2 modified@@ -1,6 +1,6 @@ { "name": "matrix-appservice-irc", - "version": "0.33.1", + "version": "0.34.0", "description": "An IRC Bridge for Matrix", "main": "app.js", "bin": "./bin/matrix-appservice-irc", @@ -34,7 +34,7 @@ "he": "^1.2.0", "logform": "^2.4.0", "matrix-appservice-bridge": "^3.2.0", - "matrix-org-irc": "^1.2.0", + "matrix-org-irc": "^1.2.1", "matrix-bot-sdk": "0.5.19", "nopt": "^3.0.1", "p-queue": "^6.6.2",
package-lock.json+9 −9 modified@@ -1,12 +1,12 @@ { "name": "matrix-appservice-irc", - "version": "0.33.1", + "version": "0.34.0", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "matrix-appservice-irc", - "version": "0.33.1", + "version": "0.34.0", "license": "Apache-2.0", "dependencies": { "@sentry/node": "^6.17.9", @@ -18,7 +18,7 @@ "logform": "^2.4.0", "matrix-appservice-bridge": "^3.2.0", "matrix-bot-sdk": "0.5.19", - "matrix-org-irc": "^1.2.0", + "matrix-org-irc": "^1.2.1", "nopt": "^3.0.1", "p-queue": "^6.6.2", "pg": "^8.7.3", @@ -3918,9 +3918,9 @@ } }, "node_modules/matrix-org-irc": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/matrix-org-irc/-/matrix-org-irc-1.2.0.tgz", - "integrity": "sha512-RnfeR9FimJJD/iOWw0GiV7NIPRmBJobvFasUgjVmGre9A4qJ9klHIDOlQ5vXIoPPMjzG8XXuAf4WHgMCNBfZkQ==", + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/matrix-org-irc/-/matrix-org-irc-1.2.1.tgz", + "integrity": "sha512-x7SoeIOP+Z6R2s8PJqhM89OZNsS2RO4srx7c3JGa/VN6rtJ1AMLEyW4EPCVh09tGiTvmbit9KJysjLvFQPx9KA==", "dependencies": { "chardet": "^1.3.0", "iconv-lite": "^0.6.2", @@ -9149,9 +9149,9 @@ } }, "matrix-org-irc": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/matrix-org-irc/-/matrix-org-irc-1.2.0.tgz", - "integrity": "sha512-RnfeR9FimJJD/iOWw0GiV7NIPRmBJobvFasUgjVmGre9A4qJ9klHIDOlQ5vXIoPPMjzG8XXuAf4WHgMCNBfZkQ==", + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/matrix-org-irc/-/matrix-org-irc-1.2.1.tgz", + "integrity": "sha512-x7SoeIOP+Z6R2s8PJqhM89OZNsS2RO4srx7c3JGa/VN6rtJ1AMLEyW4EPCVh09tGiTvmbit9KJysjLvFQPx9KA==", "requires": { "chardet": "^1.3.0", "iconv-lite": "^0.6.2",
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-cq7q-5c67-w39wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-39202ghsaADVISORY
- github.com/matrix-org/matrix-appservice-irc/commit/5f87dbed87b4b6dc49b7965ff152ee8535719e67ghsax_refsource_MISCWEB
- github.com/matrix-org/matrix-appservice-irc/security/advisories/GHSA-cq7q-5c67-w39wghsax_refsource_CONFIRMWEB
- matrix.org/blog/2022/09/13/security-release-of-matrix-appservice-irc-0-35-0-high-severityghsaWEB
- matrix.org/blog/2022/09/13/security-release-of-matrix-appservice-irc-0-35-0-high-severity/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.