CVE-2024-39691

Name of the Vulnerable Software and Affected Versions matrix-appservice-irc versions prior to 2.0.1

Description The issue arises from the reliance on the Matrix homeserver-provided timestamp to determine user access to events. A malicious Matrix homeserver can fabricate this timestamp to trick the bridge into leaking room messages it should not have access to. The bridge tracks event timestamps internally in version 2.0.1, dropping the reliance on origin server ts. As a workaround, limiting the amount of information leaked is possible by setting a reply template that doesn't contain the original message.

Recommendations For versions prior to 2.0.1, update to version 2.0.1 or later to resolve the issue. As a temporary workaround, consider setting a reply template that doesn't contain the original message to limit the amount of information leaked.