{"id":"CVE-2022-29166","summary":"Improper handling of multiline messages in matrix-appservice-irc","details":"matrix-appservice-irc is a Node.js IRC bridge for Matrix. The vulnerability in node-irc allows an attacker to manipulate a Matrix user into executing IRC commands by having them reply to a maliciously crafted message. The vulnerability has been patched in matrix-appservice-irc 0.33.2. Refrain from replying to messages from untrusted participants in IRC-bridged Matrix rooms. There are no known workarounds for this issue.","aliases":["GHSA-37hr-348p-rmf4"],"modified":"2026-04-10T04:47:10.233637Z","published":"2022-05-05T23:05:14Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/29xxx/CVE-2022-29166.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-74"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/29xxx/CVE-2022-29166.json"},{"type":"ADVISORY","url":"https://github.com/matrix-org/matrix-appservice-irc/security/advisories/GHSA-37hr-348p-rmf4"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29166"},{"type":"ARTICLE","url":"https://matrix.org/blog/2022/05/04/0-34-0-security-release-for-matrix-appservice-irc-high-severity"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/matrix-org/matrix-appservice-irc","events":[{"introduced":"0"},{"fixed":"8faf9614e80073e3cf07c96dbd295379d80f4161"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.34.0"}]}}],"versions":["0.1.1","0.10.1","0.14.0-rc1","0.14.0-rc2","0.14.0-rc3","0.14.0-rc4","0.15.2","0.20.2","0.21.0","0.21.0-rc3","0.22.0","0.22.0-rc1","0.23.0","0.23.0-fosdem","0.23.0-rc1","0.24.0","0.24.0-rc1","0.25.0-rc1","0.26.0","0.26.0-rc1","0.26.0-rc2","0.26.1","0.32.1","0.5.0","0.7.0","0.7.1","develop-2019-02-17","develop-2019-11-12","develop-2019-11-15","develop-2019-11-26","develop-2019-11-28","matrix-org-testing","v0.9.0","v0.9.0-rc1","v0.9.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-29166.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}]}