VYPR
← All advisories
Critical severity9.3NVD Advisory· Published Jun 10, 2026· Updated Jun 10, 2026

Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload

CVE-2026-48063

Description

Impact

Any baileys session under the latest version (< 7.0.0-rc12, and < 6.7.22) can be sent a malicious payload via the placeholderResendMessage and trigger a fake messages.upsert event with a fake message key and payload. This allows anyone to spoof messages. The same exploit also allows an attacker to corrupt the app state sync system by sending fake key shares, and also allows for history sync spoofing which also serves the same problem, injecting fake previous context or "on-demand" sync.

### Patches https://github.com/WhiskeySockets/Baileys/commit/3beb08eecfcb4e65722e674034bd84fb11a9de35 This commit has patched the issue, and a version tag has been released under 7.0.0 (6.7.22) for those still on Baileys v6. A new Baileys version, v7.0.0-rc12, has been released to remediate this.

Workarounds

There are no real workarounds other than dropping messages.upsert events that contain a requestId field, turning off automatic history sync (shouldSyncHistoryMessage: () => false) in socket config. There are no workarounds for the app state sync jamming.

Affected products

1

Patches

1
3beb08eecfcb

fix(process-message): only drop self-only protocolMessages from non-self senders

https://github.com/WhiskeySockets/BaileysRajeh TaherMay 20, 2026via ghsa
commit
1 file changed · +39 0
  • src/Utils/process-message.ts+39 0 modified
    @@ -330,6 +330,45 @@ const processMessage = async (
 
 	const protocolMsg = content?.protocolMessage
 	if (protocolMsg) {
+		// Mirror whatsmeow's `handleProtocolMessage` guard, but applied only to
+		// the protocol message types that originate from our own device — an
+		// attacker could otherwise spoof any of these to manipulate local state.
+		//
+		// Self-only types (drop if `!fromMe`):
+		//   - HISTORY_SYNC_NOTIFICATION                 (our phone driving history sync)
+		//   - APP_STATE_SYNC_KEY_SHARE                  (key share between our devices)
+		//   - LID_MIGRATION_MAPPING_SYNC                (server-initiated via our phone)
+		//   - PEER_DATA_OPERATION_REQUEST_RESPONSE_MESSAGE (response from our phone to our PDO request)
+		//
+		// Cross-user types (must NOT be dropped — legitimately arrive from others):
+		//   - REVOKE
+		//   - MESSAGE_EDIT
+		//   - EPHEMERAL_SETTING
+		//   - GROUP_MEMBER_LABEL_CHANGE
+		//
+		// See https://github.com/tulir/whatsmeow/blob/8d3700152a/message.go#L842-L845
+		// for the reference architecture — whatsmeow's `handleProtocolMessage`
+		// only contains self-only types because edits are unwrapped from
+		// `EditedMessage` BEFORE this dispatch and revokes aren't routed here.
+		const SELF_ONLY_TYPES = new Set<proto.Message.ProtocolMessage.Type>([
+			proto.Message.ProtocolMessage.Type.HISTORY_SYNC_NOTIFICATION,
+			proto.Message.ProtocolMessage.Type.APP_STATE_SYNC_KEY_SHARE,
+			proto.Message.ProtocolMessage.Type.LID_MIGRATION_MAPPING_SYNC,
+			proto.Message.ProtocolMessage.Type.PEER_DATA_OPERATION_REQUEST_RESPONSE_MESSAGE
+		])
+		if (
+			protocolMsg.type !== null &&
+			protocolMsg.type !== undefined &&
+			SELF_ONLY_TYPES.has(protocolMsg.type) &&
+			!message.key.fromMe
+		) {
+			logger?.warn(
+				{ msgId: message.key.id, type: protocolMsg.type, from: message.key.participant || message.key.remoteJid },
+				'dropping spoofed self-only protocolMessage from non-self origin'
+			)
+			return
+		}
+
 		switch (protocolMsg.type) {
 			case proto.Message.ProtocolMessage.Type.HISTORY_SYNC_NOTIFICATION:
 				const histNotification = protocolMsg.historySyncNotification!

Vulnerability mechanics

Root cause

"The application did not properly validate the origin of certain protocol messages, allowing them to be spoofed."

Attack vector

An attacker can send a malicious payload via the placeholderResendMessage function to any Baileys session. This payload can trigger a fake `messages.upsert` event with a forged message key and content, enabling message spoofing. The same vulnerability allows attackers to corrupt the app state sync system and spoof history sync by sending fake key shares or context [ref_id=1].

Affected code

The vulnerability lies within the `processMessage` function in `src/Utils/process-message.ts`. The patch modifies this function by introducing a check for `protocolMsg.type` against a set of `SELF_ONLY_TYPES` before processing, ensuring that these messages only originate from the user's own device.

What the fix does

The patch narrows the guard for protocol message processing to only drop self-only protocol messages originating from non-self senders. Specifically, it checks if the protocol message type is one of the self-only types (e.g., HISTORY_SYNC_NOTIFICATION, APP_STATE_SYNC_KEY_SHARE) and if the message is not from the current user (`!message.key.fromMe`). This prevents attackers from spoofing these critical message types to manipulate local state [patch_id=5506247].

Preconditions

  • inputA Baileys session must be active and vulnerable (versions prior to 7.0.0-rc12 and 6.7.22).

Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.