Cryptix

**Name of the Vulnerable Software and Affected Versions** SSB-DB version 20.0.0 SSB-Server version 16.0.0 **Description** The issue is an information disclosure vulnerability. The `get()` method is supposed to only decrypt messages when explicitly asked to, but there is a bug where it decrypts any message that it can. This means that it returns the decrypted content of private messages, which a malicious peer could use to get access to private data. This only affects peers running SSB-DB@20.0.0 who also have private messages, and is only known to be exploitable if you're also running SSB-OOO, which exposes a thin wrapper around `get()` to anonymous peers. **Recommendations** For SSB-DB version 20.0.0, upgrade to version 20.0.1 immediately. For SSB-Server version 16.0.0, upgrade to version 16.0.1 to get the fixed version of SSB-DB. As a temporary workaround, consider disabling the SSB-OOO plugin to disable the most obvious attack vector.