irc-framework@2.10.3 vulnerabilities

A better IRC framework for node.js

latest version

4.13.1
latest non vulnerable version

4.13.1
first published

8 years ago
latest version published

a year ago
licenses detected
- MIT
  >=0
View irc-framework package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the irc-framework package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
C Remote Code Execution (RCE) irc-framework is an IRC framework for node.js. Affected versions of this package are vulnerable to Remote Code Execution (RCE). Calling `event.reply` with a message like `Hello World\nQUIT` will cause the package to pass the input straight to sockets, which in turn will split its input by newlines, resulting in IRC server receiving two lines from client: `PRIVMSG #dev :Hello World` and `QUIT`. The underlying function responsible for handling reply to events will properly split messages and append appropriate prefix (`PRIVMSG #dev` in previous example) for lines that are above threshold length, however it does not do such thing for messages that explicitly contain `\n` in them. How to fix Remote Code Execution (RCE)? Upgrade `irc-framework` to version 4.7.0 or higher.	<4.7.0

Remote Code Execution (RCE)

irc-framework is an IRC framework for node.js.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). Calling event.reply with a message like Hello World\nQUIT will cause the package to pass the input straight to sockets, which in turn will split its input by newlines, resulting in IRC server receiving two lines from client: PRIVMSG #dev :Hello World and QUIT.

The underlying function responsible for handling reply to events will properly split messages and append appropriate prefix (PRIVMSG #dev in previous example) for lines that are above threshold length, however it does not do such thing for messages that explicitly contain \n in them.

How to fix Remote Code Execution (RCE)?

Upgrade irc-framework to version 4.7.0 or higher.

<4.7.0

Go back to all versions of this package

irc-framework@2.10.3 vulnerabilities

A better IRC framework for node.js

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities