← back
CVE-2025-27146

Matrix IRC Bridge allows IRC command injection to own puppeted user

CVSS 2.7 LOWEPSS 0.3%CWE-77CWE-88
Vexday Risk Score
8Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 2.7EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
25 Feb 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
matrix-appservice-irc is a Node.js IRC bridge for Matrix. The matrix-appservice-irc bridge up to version 3.0.3 contains a vulnerability which can lead to arbitrary IRC command execution as the puppeted user. The attacker can only inject commands executed as their own IRC user. The vulnerability has been patched in matrix-appservice-irc version 3.0.4.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Affected products
matrix-org · matrix-appservice-irc

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/matrix-org/matrix-appservice-irc/commit/74f02c8e11f16ed1b355700092c1aa9c036a11bdhttps://github.com/matrix-org/matrix-appservice-irc/security/advisories/GHSA-5mvm-89c9-9gm5