irc-framework@2.5.5 vulnerabilities

A better IRC framework for node.js

  • latest version

    4.14.0

  • latest non vulnerable version

  • first published

    8 years ago

  • latest version published

    2 months ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the irc-framework package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • C
    Remote Code Execution (RCE)

    irc-framework is an IRC framework for node.js.

    Affected versions of this package are vulnerable to Remote Code Execution (RCE). Calling event.reply with a message like Hello World\nQUIT will cause the package to pass the input straight to sockets, which in turn will split its input by newlines, resulting in IRC server receiving two lines from client: PRIVMSG #dev :Hello World and QUIT.

    The underlying function responsible for handling reply to events will properly split messages and append appropriate prefix (PRIVMSG #dev in previous example) for lines that are above threshold length, however it does not do such thing for messages that explicitly contain \n in them.

    How to fix Remote Code Execution (RCE)?

    Upgrade irc-framework to version 4.7.0 or higher.

    <4.7.0