WeeChat :: documentation

Overview: 1 vulnerability

WSA	CVE	Score	Severity	Issue	Vulnerability type	Scope	Versions	Fix	Release date
WSA-2025-8	-	7.5		Crash on malformed HTTP message in relay plugin, protocol "api".	NULL Pointer Dereference	Relay	4.7.0	4.7.1	Aug 16, 2025

WSA-2025-8: [Relay] Crash on malformed HTTP message in relay plugin, protocol "api".

Vulnerability

CVE

Not available

CVSS vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)

CVSS score

7.5 / 10

Severity

high

Vulnerability type

NULL Pointer Dereference (detail)

Scope

Relay

Affected versions

4.7.0

Fixed version

4.7.1 (Aug 16, 2025) - ChangeLog

Tracker

Not available

Commits

Description

A crash happens when decoding a malformed HTTP message in relay plugin, protocol "api".
This happens even if the client is not authenticated, the HTTP message is parsed before the authentication.

Mitigation

There are multiple ways to mitigate this issue:

Rremove all relays with protocol "api", see: /help relay
Unload relay plugin with command: /plugin unload relay and see: /help weechat.plugin.autoload
Secure relay to allow only some trusted IP addresses, see: /help relay.network.allowed_ips