CVE-2022-39202

Name of the Vulnerable Software and Affected Versions matrix-appservice-irc versions prior to 0.35.0

Description The issue arises from a bug in the underlying matrix-org/node-irc library, causing matrix-appservice-irc to incorrectly parse multiple modes in a single mode command. This can potentially result in the wrong user being given permissions. Mode commands can only be executed by privileged users, so exploitation requires an operator to be tricked into running the command on behalf of an attacker.

Recommendations For versions prior to 0.35.0, update to version 0.35.0 to resolve the issue. As a temporary workaround, refrain from entering mode commands suggested by untrusted users. Avoid using multiple modes in a single command until the issue is resolved.