Remote Code Execution (RCE) Affecting irc-framework package, versions <4.7.0
Snyk CVSS
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-IRCFRAMEWORK-557137
- published 26 Feb 2020
- disclosed 26 Feb 2020
- credit proton-ab
How to fix?
Upgrade irc-framework to version 4.7.0 or higher.
Overview
irc-framework is an IRC framework for node.js.
Affected versions of this package are vulnerable to Remote Code Execution (RCE). Calling event.reply with a message like Hello World\nQUIT will cause the package to pass the input straight to sockets, which in turn will split its input by newlines, resulting in IRC server receiving two lines from client: PRIVMSG #dev :Hello World and QUIT.
The underlying function responsible for handling reply to events will properly split messages and append appropriate prefix (PRIVMSG #dev in previous example) for lines that are above threshold length, however it does not do such thing for messages that explicitly contain \n in them.