CVE-2024-32000

Name of the Vulnerable Software and Affected Versions matrix-appservice-irc versions prior to 2.0.0

Description The issue allows a malicious user to leak the truncated body of a message if they send a Matrix reply to an event ID they don't have access to. The malicious user needs to know the event ID of the message they want to leak and be joined to both the Matrix room and the IRC channel it is bridged to. The message reply containing the leaked message content is visible to IRC channel members.

Recommendations For versions prior to 2.0.0, upgrade to version 2.0.0 to resolve the issue. As a temporary workaround, consider setting a reply template that doesn't contain the original message to limit the amount of information leaked.