matrix-appservice-irc PgDataStore.ts sql injection
Description
A vulnerability was found in matrix-appservice-irc up to 0.35.1. It has been declared as critical. This vulnerability affects unknown code of the file src/datastore/postgres/PgDataStore.ts. The manipulation of the argument roomIds leads to sql injection. Upgrading to version 0.36.0 is able to address this issue. The name of the patch is 179313a37f06b298150edba3e2b0e5a73c1415e7. It is recommended to upgrade the affected component. VDB-213550 is the identifier assigned to this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in matrix-appservice-irc's Postgres data store allows attackers with control over room ID configuration to execute arbitrary SQL.
Vulnerability
A SQL injection vulnerability exists in matrix-appservice-irc versions up to 0.35.1. The flaw resides in the file src/datastore/postgres/PgDataStore.ts where the roomIds argument is not properly sanitized before being used in database queries. This allows an attacker to inject malicious SQL statements through crafted room ID values [1][3].
Exploitation
Exploitation requires the ability to set or control room ID configuration values. According to the pull request that fixed the issue, this is considered a low-risk scenario because it typically requires administrative access to the bridge configuration [3]. The attacker does not need network-level access or authentication to the database itself; the injection occurs through the application's normal query path.
Impact
Successful exploitation could allow an attacker to execute arbitrary SQL commands against the Postgres database. This could lead to unauthorized access to sensitive data, modification of database contents, or potential escalation of privileges within the bridge's data store. The vulnerability is rated as critical due to the potential for data compromise [1].
Mitigation
The vulnerability is fixed in version 0.36.0 of matrix-appservice-irc. The fix was introduced in commit 179313a37f06b298150edba3e2b0e5a73c1415e7 and merged via pull request #1619 [3][4]. Users are strongly advised to upgrade to version 0.36.0 or later to mitigate the risk.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
matrix-appservice-ircnpm | < 0.36.0 | 0.36.0 |
Affected products
2- unspecified/matrix-appservice-ircv5Range: 0.35.0
Patches
1179313a37f06Prevent low-risk SQL injection from roomId values when entered into the config (#1619)
2 files changed · +4 −2
changelog.d/1619.bugfix+1 −0 added@@ -0,0 +1 @@ +Prevent possible attack by provisisioning a room with a specific roomID.
src/datastore/postgres/PgDataStore.ts+3 −2 modified@@ -661,8 +661,9 @@ export class PgDataStore implements DataStore { public async getRoomsVisibility(roomIds: string[]) { const map: {[roomId: string]: "public"|"private"} = {}; - const list = `('${roomIds.join("','")}')`; - const res = await this.pgPool.query(`SELECT room_id, visibility FROM room_visibility WHERE room_id IN ${list}`); + const res = await this.pgPool.query("SELECT room_id, visibility FROM room_visibility WHERE room_id IN $1", [ + roomIds, + ]); for (const row of res.rows) { map[row.room_id] = row.visibility ? "public" : "private"; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-ffwf-47x2-jpr8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-3971ghsaADVISORY
- github.com/matrix-org/matrix-appservice-irc/commit/179313a37f06b298150edba3e2b0e5a73c1415e7ghsaWEB
- github.com/matrix-org/matrix-appservice-irc/pull/1619ghsaWEB
- github.com/matrix-org/matrix-appservice-irc/releases/tag/0.36.0ghsaWEB
- vuldb.comghsaWEB
News mentions
0No linked articles in our index yet.