Overview: 1 vulnerability
WSA Score
Severity
Issue
Vulnerability type
Scope
Versions Fix
Release date
WSA-2026-1 6.5
Missing size limit for the decompressed websocket frame in relay plugin, protocol "api".
Improper Handling of Highly Compressed Data (Data Amplification)
Relay
4.3.0 → 4.9.0
4.9.1
May 31, 2026
WSA-2026-1 : [Relay] Missing size limit for the decompressed websocket frame in relay plugin, protocol "api".
Vulnerability
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
(
detail )
Improper Handling of Highly Compressed Data (Data Amplification)
(
detail )
Affected versions
4.3.0 → 4.9.0
Description
When decompressing a websocket frame received from a Relay client with "api" protocol and permessage-deflate enabled, WeeChat allocates memory without upper limit.
In case of highly compressed frame, this can lead to memory exhaustion and the WeeChat process can be killer by the OOM killer.
Mitigation
There are multiple ways to mitigate this issue:
Disable permessage-deflate compression: relay.network.websocket_permessage_deflate (recommended)
Rremove all relays with protocol "api", see: /help relay
Unload relay plugin with command: /plugin unload relay and see: /help weechat.plugin.autoload
Secure relay to allow only some trusted IP addresses, see: /help relay.network.allowed_ips
Credit
The issue was discovered by Tristan Madani (@TristanInSec) from Talence Security.