WeeChat :: documentation

WeeChat

Security vulnerabilities in version 0.4.0

This page lists all known and fixed security vulnerabilities in version 0.4.0 (back to the list of all versions).

Overview: 14 vulnerabilities

WSA	Score	Issue	Vulnerability type	Scope	Versions	Fix	Release date
WSA-2026-6	9.3	Write of DCC file received outside of configured download path.	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	Xfer	0.0.8 → 4.9.1	4.9.2	Jun 7, 2026
WSA-2026-4	6.5	Missing size limit for the received websocket frame, HTTP message and HTTP body.	Memory Allocation with Excessive Size Value	Relay	0.3.7 → 4.9.1	4.9.2	Jun 7, 2026
WSA-2026-3	6.5	Missing size limit for the unterminated IRC message or isupport value (message 005).	Memory Allocation with Excessive Size Value	IRC	0.3.3 → 4.9.1	4.9.2	Jun 7, 2026
WSA-2026-2	7.4	Non-constant time password/hash comparison.	Observable Timing Discrepancy	API, Relay	0.3.4 → 4.9.0	4.9.1	May 31, 2026
WSA-2025-3	3.9	Integer overflow in conversion of version to an integer number.	Integer Overflow or Wraparound	Core	0.3.2 → 4.6.2	4.6.3	May 11, 2025
WSA-2024-1	3.8	Integer overflow in loops on lists.	Integer Overflow or Wraparound	Core, Plugins	0.1.6 → 4.4.1	4.4.2	Sep 8, 2024
WSA-2020-3	7.5	Buffer overflow on new IRC message 005 with nick prefixes.	Out-of-bounds write	IRC	0.3.4 → 2.7	2.7.1	Feb 20, 2020
WSA-2020-2	7.5	Crash on malformed IRC message 352 (WHO).	Out-of-bounds read	IRC	0.4.0 → 2.7	2.7.1	Feb 20, 2020
WSA-2020-1	7.5	Buffer overflow on malformed IRC message 324 (channel mode).	Out-of-bounds write	IRC	0.3.8 → 2.7	2.7.1	Feb 20, 2020
WSA-2017-2	7.5	Use of invalid pointer in build of log filename.	Access of uninitialized pointer	Logger	0.3.2 → 1.9	1.9.1	Sep 23, 2017
WSA-2017-1	7.5	Buffer overflow when receiving a DCC file.	Out-of-bounds write	IRC	0.3.3 → 1.7	1.7.1	Apr 22, 2017
WSA-2013-3	7.5	Crash on IRC commands sent via Relay.	Access of uninitialized pointer	Relay	0.3.8 → 0.4.0	0.4.1	May 20, 2013
WSA-2013-2	5.5	Crash on send of unknown commands to IRC server.	Access of uninitialized pointer	IRC	0.3.0 → 0.4.0	0.4.1	May 20, 2013
WSA-2013-1	5.5	Crash on nicks monitored with /notify.	Access of uninitialized pointer	IRC	0.3.6 → 0.4.0	0.4.1	May 20, 2013

WSA-2026-6: [Xfer] Write of DCC file received outside of configured download path.

Vulnerability

CVE

Not available

CVSS vector

AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H (detail)

CVSS score

9.3 / 10

Severity

critical

Vulnerability type

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (detail)

Scope

Xfer

Affected versions

0.0.8 → 4.9.1

Fixed version

4.9.2 (Jun 7, 2026) - ChangeLog

Tracker

issue #2321

Commits

Description

When receiving a DCC file, the filename built contains the remote nick (the option xfer.file.use_nick_in_filename is on by default).
If the nick contains special characters, the file could be written outside of the configured download path.
Xfer never overwrites existing files, so if a file exists with the same name, a suffix like ".1" is appended to the filename.

Mitigation

Turn off option to include nick in filename: /set xfer.file.use_nick_in_filename off.

Credit

The issue was discovered by aizu-m.

WSA-2026-4: [Relay] Missing size limit for the received websocket frame, HTTP message and HTTP body.

Vulnerability

CVE

Not available

CVSS vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (detail)

CVSS score

6.5 / 10

Severity

medium

Vulnerability type

Memory Allocation with Excessive Size Value (detail)

Scope

Relay

Affected versions

0.3.7 → 4.9.1

Fixed version

4.9.2 (Jun 7, 2026) - ChangeLog

Tracker

Not available

Commits

Description

When receiving part of websocket frame, HTTP message or HTTP body, the Relay plugin builds a partial buffer until the end of data is found.
There is no limit for the allocated buffer.
A malicious client sending large amount of data without end of websocket frame or HTTP message/body can lead to memory exhaustion and the WeeChat process can be killed by the OOM killer.

Mitigation

There are multiple ways to mitigate this issue:

Remove all relays, see: /help relay
Unload relay plugin with command: /plugin unload relay and see: /help weechat.plugin.autoload
Secure relay to allow only trusted IP addresses, see: /help relay.network.allowed_ips

WSA-2026-3: [IRC] Missing size limit for the unterminated IRC message or isupport value (message 005).

Vulnerability

CVE

Not available

CVSS vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (detail)

CVSS score

6.5 / 10

Severity

medium

Vulnerability type

Memory Allocation with Excessive Size Value (detail)

Scope

IRC

Affected versions

0.3.3 → 4.9.1

Fixed version

4.9.2 (Jun 7, 2026) - ChangeLog

Tracker

Not available

Commits

Description

When receiving data on the socket, the IRC plugin builds a partial message until "\r\n" is found.
There is no limit for the allocated message.
A malicious server sending large amount of data without end of message ("\r\n") can lead to memory exhaustion and the WeeChat process can be killed by the OOM killer.

Mitigation

There is no known mitigation.
The upgrade to the latest stable version is highly recommended.

WSA-2026-2: [API, Relay] Non-constant time password/hash comparison.

Vulnerability

CVE

Pending

CVSS vector

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H (detail)

CVSS score

7.4 / 10

Severity

high

Vulnerability type

Observable Timing Discrepancy (detail)

Scope

API, Relay

Affected versions

0.3.4 → 4.9.0

Fixed version

4.9.1 (May 31, 2026) - ChangeLog

Tracker

GHSA-vhv8-g2r9-cwcc

Commits

Description

WeeChat uses non-constant time password/hash comparison in the Relay plugin and in TOTP validation.
This could allow an attacker to guess a password, a hash or a TOTP and bypass relay authentication.

Mitigation

There are multiple ways to mitigate this issue:

Remove all relays, see: /help relay
Unload relay plugin with command: /plugin unload relay and see: /help weechat.plugin.autoload
Secure relay to allow some trusted IP addresses, see: /help relay.network.allowed_ips

Credit

The issue was discovered by Tristan Madani (@TristanInSec) from Talence Security.

WSA-2025-3: [Core] Integer overflow in conversion of version to an integer number.

Vulnerability

CVE

Not available

CVSS vector

AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C (detail)

CVSS score

3.9 / 10

Severity

medium

Vulnerability type

Integer Overflow or Wraparound (detail)

Scope

Core

Affected versions

0.3.2 → 4.6.2

Fixed version

4.6.3 (May 11, 2025) - ChangeLog

Tracker

Not available

Commits

Description

Integer overflow happens in conversion of a version as string to an integer number, if the version is greater than 0x7FFFFFFF (127.255.255.255), so if the version is at least 0x80000000 (128.0.0.0).

Mitigation

There is no known mitigation.
The upgrade to the latest stable version is highly recommended.

WSA-2024-1: [Core, Plugins] Integer overflow in loops on lists.

Vulnerability

CVE

CVE-2024-46613 [ MITRE / NVD ]

CVSS vector

AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C (detail)

CVSS score

3.8 / 10

Severity

low

Vulnerability type

Integer Overflow or Wraparound (detail)

Scope

Core, Plugins

Affected versions

0.1.6 → 4.4.1

Fixed version

4.4.2 (Sep 8, 2024) - ChangeLog

Tracker

issue #2178

Commits

Description

An integer overflow can happen when looping over items in a list.
This can only happen in rare conditions on 32 and 64-bit systems, as the list must contain more than 2,147,483,647 elements.
On 16-bit systems, this happens with a list that contains more than 32,767 elements.

Mitigation

There is no known mitigation.
The upgrade to the latest stable version is highly recommended.

Credit

The issue was discovered by Yiheng Cao.

WSA-2020-3: [IRC] Buffer overflow on new IRC message 005 with nick prefixes.

Vulnerability

CVE

CVE-2020-9760 [ MITRE / NVD ]

CVSS vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)

CVSS score

7.5 / 10

Severity

high

Vulnerability type

Out-of-bounds write (detail)

Scope

IRC

Affected versions

0.3.4 → 2.7

Fixed version

2.7.1 (Feb 20, 2020) - ChangeLog

Tracker

Not available

Commits

Description

A buffer overflow happens when a new IRC message 005 is received with longer nick prefixes.
Note: a "normal" IRC server should not send again a message 005 with new nick prefixes, so the problem should be limited to malicious IRC servers.

Mitigation

There is no known mitigation.
The upgrade to the latest stable version is highly recommended.

Credit

The issue was discovered by Stuart Nevans Locke.

WSA-2020-2: [IRC] Crash on malformed IRC message 352 (WHO).

Vulnerability

CVE

CVE-2020-9759 [ MITRE / NVD ]

CVSS vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)

CVSS score

7.5 / 10

Severity

high

Vulnerability type

Out-of-bounds read (detail)

Scope

IRC

Affected versions

0.4.0 → 2.7

Fixed version

2.7.1 (Feb 20, 2020) - ChangeLog

Tracker

Not available

Commits

Description

Crash when receiving a malformed IRC message 352 (WHO).

Mitigation

With WeeChat ≥ 1.1, you can create a trigger:

/trigger add fix_irc_352 modifier "irc_in_352" "${arguments} =~ .* \*$" "/.*//"

With any older version, there is no simple mitigation, you must upgrade WeeChat.

Credit

The issue was discovered by Stuart Nevans Locke.

WSA-2020-1: [IRC] Buffer overflow on malformed IRC message 324 (channel mode).

Vulnerability

CVE

CVE-2020-8955 [ MITRE / NVD ]

CVSS vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)

CVSS score

7.5 / 10

Severity

high

Vulnerability type

Out-of-bounds write (detail)

Scope

IRC

Affected versions

0.3.8 → 2.7

Fixed version

2.7.1 (Feb 20, 2020) - ChangeLog

Tracker

Not available

Commits

Description

Buffer overflow when receiving a malformed IRC message 324 (channel mode).

Mitigation

There is no known mitigation.
The upgrade to the latest stable version is highly recommended.

Credit

The issue was discovered by Stuart Nevans Locke.

WSA-2017-2: [Logger] Use of invalid pointer in build of log filename.

Vulnerability

CVE

CVE-2017-14727 [ MITRE / NVD ]

CVSS vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)

CVSS score

7.5 / 10

Severity

high

Vulnerability type

Access of uninitialized pointer (detail)

Scope

Logger

Affected versions

0.3.2 → 1.9

Fixed version

1.9.1 (Sep 23, 2017) - ChangeLog

Tracker

Not available

Commits

Description

Date/time conversion specifiers are expanded after replacing buffer local variables in name of log files. In some cases, this can lead to an error in function strftime and a crash caused by the use of an uninitialized buffer.

Mitigation

You can unload the logger plugin, thus stopping recording of all buffers: /plugin unload logger.

Credit

The issue was discovered by Joseph Bisch.

WSA-2017-1: [IRC] Buffer overflow when receiving a DCC file.

Vulnerability

CVE

CVE-2017-8073 [ MITRE / NVD ]

CVSS vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)

CVSS score

7.5 / 10

Severity

high

Vulnerability type

Out-of-bounds write (detail)

Scope

IRC

Affected versions

0.3.3 → 1.7

Fixed version

1.7.1 (Apr 22, 2017) - ChangeLog

Tracker

Not available

Commits

Description

Buffer overflow when removing quotes in DCC filename.

Mitigation

With WeeChat ≥ 1.1, you can create a trigger:

/trigger add irc_dcc_quotes modifier "irc_in_privmsg" "${arguments} =~ ^[^ ]+ :${\x01}DCC SEND ${\x22} " "/.*//"

With any older version, there is no simple mitigation, you must upgrade WeeChat.

Credit

The issue was discovered by Tobias Stoeckmann.

WSA-2013-3: [Relay] Crash on IRC commands sent via Relay.

Vulnerability

CVE

Not available

CVSS vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)

CVSS score

7.5 / 10

Severity

high

Vulnerability type

Access of uninitialized pointer (detail)

Scope

Relay

Affected versions

0.3.8 → 0.4.0

Fixed version

0.4.1 (May 20, 2013) - ChangeLog

Tracker

Not available

Commits

Description

Strings are built with uncontrolled format when IRC commands are redirected by relay plugin. If the output or redirected command contains formatting chars like "%", this can lead to a crash of WeeChat.

Mitigation

You can remove all relays of type "irc", see /help relay.

WSA-2013-2: [IRC] Crash on send of unknown commands to IRC server.

Vulnerability

CVE

Not available

CVSS vector

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (detail)

CVSS score

5.5 / 10

Severity

medium

Vulnerability type

Access of uninitialized pointer (detail)

Scope

IRC

Affected versions

0.3.0 → 0.4.0

Fixed version

0.4.1 (May 20, 2013) - ChangeLog

Tracker

Not available

Commits

Description

Strings are built with uncontrolled format when unknown IRC commands are sent to server, if option irc.network.send_unknown_commands is enabled.

Mitigation

There are multiple ways to mitigate this issue:

Turn off option to send unknown commands: /set irc.network.send_unknown_commands off
Do not use formatting chars like "%" when sending unknown commands to server.

WSA-2013-1: [IRC] Crash on nicks monitored with /notify.

Vulnerability

CVE

Not available

CVSS vector

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (detail)

CVSS score

5.5 / 10

Severity

medium

Vulnerability type

Access of uninitialized pointer (detail)

Scope

IRC

Affected versions

0.3.6 → 0.4.0

Fixed version

0.4.1 (May 20, 2013) - ChangeLog

Tracker

Not available

Commits

Description

Strings are built with uncontrolled format when nicks containing "%" are monitored with command /notify.

Mitigation

Do not use command /notify with nicks containing formatting chars like "%".