When receiving a DCC file, the filename built contains the remote nick (the option xfer.file.use_nick_in_filename is on by default).
If the nick contains special characters, the file could be written outside of the configured download path.
Xfer never overwrites existing files, so if a file exists with the same name, a suffix like ".1" is appended to the filename.
Mitigation
Turn off option to include nick in filename: /set xfer.file.use_nick_in_filename off.
Credit
The issue was discovered by aizu-m.
WSA-2026-3: [IRC] Missing size limit for the unterminated IRC message or isupport value (message 005).
When receiving data on the socket, the IRC plugin builds a partial message until "\r\n" is found.
There is no limit for the allocated message.
A malicious server sending large amount of data without end of message ("\r\n") can lead to memory exhaustion and the WeeChat process can be killed by the OOM killer.
Mitigation
There is no known mitigation.
The upgrade to the latest stable version is highly recommended.
WSA-2026-2: [API, Relay] Non-constant time password/hash comparison.
WeeChat uses non-constant time password/hash comparison in the Relay plugin and in TOTP validation.
This could allow an attacker to guess a password, a hash or a TOTP and bypass relay authentication.
Mitigation
There are multiple ways to mitigate this issue:
Remove all relays, see: /help relay
Unload relay plugin with command: /plugin unload relay and see: /help weechat.plugin.autoload
Secure relay to allow some trusted IP addresses, see: /help relay.network.allowed_ips
Credit
The issue was discovered by Tristan Madani (@TristanInSec) from Talence Security.
WSA-2025-3: [Core] Integer overflow in conversion of version to an integer number.
Integer overflow happens in conversion of a version as string to an integer number, if the version is greater than 0x7FFFFFFF (127.255.255.255), so if the version is at least 0x80000000 (128.0.0.0).
Mitigation
There is no known mitigation.
The upgrade to the latest stable version is highly recommended.
WSA-2024-1: [Core, Plugins] Integer overflow in loops on lists.
An integer overflow can happen when looping over items in a list.
This can only happen in rare conditions on 32 and 64-bit systems, as the list must contain more than 2,147,483,647 elements.
On 16-bit systems, this happens with a list that contains more than 32,767 elements.
Mitigation
There is no known mitigation.
The upgrade to the latest stable version is highly recommended.
Credit
The issue was discovered by Yiheng Cao.
WSA-2020-3: [IRC] Buffer overflow on new IRC message 005 with nick prefixes.
A buffer overflow happens when a new IRC message 005 is received with longer nick prefixes.
Note: a "normal" IRC server should not send again a message 005 with new nick prefixes, so the problem should be limited to malicious IRC servers.
Mitigation
There is no known mitigation.
The upgrade to the latest stable version is highly recommended.
Credit
The issue was discovered by Stuart Nevans Locke.
WSA-2017-2: [Logger] Use of invalid pointer in build of log filename.
Date/time conversion specifiers are expanded after replacing buffer local variables in name of log files. In some cases, this can lead to an error in function strftime and a crash caused by the use of an uninitialized buffer.
Mitigation
You can unload the logger plugin, thus stopping recording of all buffers: /plugin unload logger.
Credit
The issue was discovered by Joseph Bisch.
WSA-2017-1: [IRC] Buffer overflow when receiving a DCC file.
Untrusted command for function hook_process could lead to execution of commands, because of shell expansions (so the problem is only caused by some scripts, not by WeeChat itself).
Mitigation
Remove/unload all scripts calling the API function hook_process.