Overview: 1 vulnerability

WSA Score Severity Issue Vulnerability type Scope Versions Fix Release date
WSA-2026-9 7.5
Memory leak in API relay, endpoint "handshake". Missing Release of Memory after Effective Lifetime Relay 4.7.0 → 4.9.2 4.9.3

WSA-2026-9: [Relay] Memory leak in API relay, endpoint "handshake".

Vulnerability
CVE
Not available
CVSS vector
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)
CVSS score
7.5 / 10
Severity
high
Vulnerability type
Missing Release of Memory after Effective Lifetime (detail)
Scope
Relay
Affected versions
4.7.0 → 4.9.2
Fixed version
4.9.3 () - ChangeLog
Commits
Description
The messages received on "handshake" endpoint, which does not require authentication, are not freed if the content is not a JSON object (for example an array or any other JSON type).
A malicious client can send large arrays and cause memory exhaustion. The WeeChat process can be killed by the OOM killer.
Mitigation
There are multiple ways to mitigate this issue:
Credit
The issue was discovered by Sajda Kabir.