The messages received on "handshake" endpoint, which does not require authentication, are not freed if the content is not a JSON object (for example an array or any other JSON type).
A malicious client can send large arrays and cause memory exhaustion. The WeeChat process can be killed by the OOM killer.
Mitigation
There are multiple ways to mitigate this issue:
Remove all relays with protocol "api", see: /help relay
Unload relay plugin with command: /plugin unload relay and see: /help weechat.plugin.autoload
Secure relay to allow only trusted IP addresses, see: /help relay.network.allowed_ips