CVE-2022-39203

Name of the Vulnerable Software and Affected Versions matrix-appservice-irc versions prior to 0.35.0

Description The issue allows attackers to specify a specific string of characters, which would confuse the bridge into combining an attacker-owned channel and an existing channel, allowing them to grant themselves permissions in the channel.

Recommendations For versions prior to 0.35.0, update to version 0.35.0 to resolve the issue. As a temporary workaround, operators may disable dynamic channel joining via dynamicChannels.enabled to prevent users from joining new channels.