Security vulnerabilities in version 4.0.7

This page lists all known and fixed security vulnerabilities in version 4.0.7 (back to the list of all versions).

Overview: 11 vulnerabilities

WSA Score Severity Issue Vulnerability type Scope Versions Fix Release date
WSA-2026-7 7.5
Buffer overflow when receiving a line in a Xfer chat (DCC chat) buffer. Out-of-bounds read Xfer 1.3 → 4.9.1 4.9.2
WSA-2026-6 9.3
Write of DCC file received outside of configured download path. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Xfer 0.0.8 → 4.9.1 4.9.2
WSA-2026-4 6.5
Missing size limit for the received websocket frame, HTTP message and HTTP body. Memory Allocation with Excessive Size Value Relay 0.3.7 → 4.9.1 4.9.2
WSA-2026-3 6.5
Missing size limit for the unterminated IRC message or isupport value (message 005). Memory Allocation with Excessive Size Value IRC 0.3.3 → 4.9.1 4.9.2
WSA-2026-2 7.4
Non-constant time password/hash comparison. Observable Timing Discrepancy API, Relay 0.3.4 → 4.9.0 4.9.1
WSA-2025-7 3.9
Buffer overflow in range of chars in evaluated expressions. Out-of-bounds read Core 3.8 → 4.6.2 4.6.3
WSA-2025-6 3.9
Buffer overflow in base 32 encoding in evaluated expressions. Out-of-bounds write Core 2.9 → 4.6.2 4.6.3
WSA-2025-3 3.9
Integer overflow in conversion of version to an integer number. Integer Overflow or Wraparound Core 0.3.2 → 4.6.2 4.6.3
WSA-2025-2 3.9
Integer overflow in base32 decode/encode functions. Integer Overflow or Wraparound Core 2.4 → 4.6.2 4.6.3
WSA-2025-1 3.9
Integer overflow with decimal numbers in calculation of expression. Integer Overflow or Wraparound Core 2.7 → 4.6.2 4.6.3
WSA-2024-1 3.8
Integer overflow in loops on lists. Integer Overflow or Wraparound Core, Plugins 0.1.6 → 4.4.1 4.4.2

WSA-2026-7: [Xfer] Buffer overflow when receiving a line in a Xfer chat (DCC chat) buffer.

Vulnerability
CVE
Not available
CVSS vector
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)
CVSS score
7.5 / 10
Severity
high
Vulnerability type
Out-of-bounds read (detail)
Scope
Xfer
Affected versions
1.3 → 4.9.1
Fixed version
4.9.2 () - ChangeLog
Tracker
issue #2323
Commits
Commit
Description
An empty line received in Xfer chat (DCC chat) causes a read before the beginning of a buffer.
This can lead to a crash of WeeChat.
Mitigation
There is no known mitigation.
The upgrade to the latest stable version is highly recommended.
Credit
The issue was discovered by aizu-m.

WSA-2026-6: [Xfer] Write of DCC file received outside of configured download path.

Vulnerability
CVE
Not available
CVSS vector
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H (detail)
CVSS score
9.3 / 10
Severity
critical
Vulnerability type
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (detail)
Scope
Xfer
Affected versions
0.0.8 → 4.9.1
Fixed version
4.9.2 () - ChangeLog
Tracker
issue #2321
Commits
Commit
Description
When receiving a DCC file, the filename built contains the remote nick (the option xfer.file.use_nick_in_filename is on by default).
If the nick contains special characters, the file could be written outside of the configured download path.
Xfer never overwrites existing files, so if a file exists with the same name, a suffix like ".1" is appended to the filename.
Mitigation
Turn off option to include nick in filename: /set xfer.file.use_nick_in_filename off.
Credit
The issue was discovered by aizu-m.

WSA-2026-4: [Relay] Missing size limit for the received websocket frame, HTTP message and HTTP body.

Vulnerability
CVE
Not available
CVSS vector
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (detail)
CVSS score
6.5 / 10
Severity
medium
Vulnerability type
Memory Allocation with Excessive Size Value (detail)
Scope
Relay
Affected versions
0.3.7 → 4.9.1
Fixed version
4.9.2 () - ChangeLog
Tracker
Not available
Commits
Commit Commit
Description
When receiving part of websocket frame, HTTP message or HTTP body, the Relay plugin builds a partial buffer until the end of data is found.
There is no limit for the allocated buffer.
A malicious client sending large amount of data without end of websocket frame or HTTP message/body can lead to memory exhaustion and the WeeChat process can be killed by the OOM killer.
Mitigation
There are multiple ways to mitigate this issue:

WSA-2026-3: [IRC] Missing size limit for the unterminated IRC message or isupport value (message 005).

Vulnerability
CVE
Not available
CVSS vector
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (detail)
CVSS score
6.5 / 10
Severity
medium
Vulnerability type
Memory Allocation with Excessive Size Value (detail)
Scope
IRC
Affected versions
0.3.3 → 4.9.1
Fixed version
4.9.2 () - ChangeLog
Tracker
Not available
Commits
Commit Commit
Description
When receiving data on the socket, the IRC plugin builds a partial message until "\r\n" is found.
There is no limit for the allocated message.
A malicious server sending large amount of data without end of message ("\r\n") can lead to memory exhaustion and the WeeChat process can be killed by the OOM killer.
Mitigation
There is no known mitigation.
The upgrade to the latest stable version is highly recommended.

WSA-2026-2: [API, Relay] Non-constant time password/hash comparison.

Vulnerability
CVE
Pending
CVSS vector
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H (detail)
CVSS score
7.4 / 10
Severity
high
Vulnerability type
Observable Timing Discrepancy (detail)
Scope
API, Relay
Affected versions
0.3.4 → 4.9.0
Fixed version
4.9.1 () - ChangeLog
Tracker
GHSA-vhv8-g2r9-cwcc
Commits
Commit Commit Commit
Description
WeeChat uses non-constant time password/hash comparison in the Relay plugin and in TOTP validation.
This could allow an attacker to guess a password, a hash or a TOTP and bypass relay authentication.
Mitigation
There are multiple ways to mitigate this issue:
Credit
The issue was discovered by Tristan Madani (@TristanInSec) from Talence Security.

WSA-2025-7: [Core] Buffer overflow in range of chars in evaluated expressions.

Vulnerability
CVE
Not available
CVSS vector
AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C (detail)
CVSS score
3.9 / 10
Severity
medium
Vulnerability type
Out-of-bounds read (detail)
Scope
Core
Affected versions
3.8 → 4.6.2
Fixed version
4.6.3 () - ChangeLog
Tracker
Not available
Commits
Commit
Description
Buffer overflow in range of chars in evaluated expressions.
Mitigation
There is no known mitigation.
The upgrade to the latest stable version is highly recommended.

WSA-2025-6: [Core] Buffer overflow in base 32 encoding in evaluated expressions.

Vulnerability
CVE
Not available
CVSS vector
AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C (detail)
CVSS score
3.9 / 10
Severity
medium
Vulnerability type
Out-of-bounds write (detail)
Scope
Core
Affected versions
2.9 → 4.6.2
Fixed version
4.6.3 () - ChangeLog
Tracker
Not available
Commits
Commit
Description
A buffer overflow happens in base 32 encoding in evaluated expressions, where padding is made in the resulting string.
Mitigation
There is no known mitigation.
The upgrade to the latest stable version is highly recommended.

WSA-2025-3: [Core] Integer overflow in conversion of version to an integer number.

Vulnerability
CVE
Not available
CVSS vector
AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C (detail)
CVSS score
3.9 / 10
Severity
medium
Vulnerability type
Integer Overflow or Wraparound (detail)
Scope
Core
Affected versions
0.3.2 → 4.6.2
Fixed version
4.6.3 () - ChangeLog
Tracker
Not available
Commits
Commit
Description
Integer overflow happens in conversion of a version as string to an integer number, if the version is greater than 0x7FFFFFFF (127.255.255.255), so if the version is at least 0x80000000 (128.0.0.0).
Mitigation
There is no known mitigation.
The upgrade to the latest stable version is highly recommended.

WSA-2025-2: [Core] Integer overflow in base32 decode/encode functions.

Vulnerability
CVE
Not available
CVSS vector
AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C (detail)
CVSS score
3.9 / 10
Severity
medium
Vulnerability type
Integer Overflow or Wraparound (detail)
Scope
Core
Affected versions
2.4 → 4.6.2
Fixed version
4.6.3 () - ChangeLog
Tracker
Not available
Commits
Commit
Description
An integer overflow may happen in base32 encode/decode functions.
Mitigation
There is no known mitigation.
The upgrade to the latest stable version is highly recommended.

WSA-2025-1: [Core] Integer overflow with decimal numbers in calculation of expression.

Vulnerability
CVE
Not available
CVSS vector
AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C (detail)
CVSS score
3.9 / 10
Severity
medium
Vulnerability type
Integer Overflow or Wraparound (detail)
Scope
Core
Affected versions
2.7 → 4.6.2
Fixed version
4.6.3 () - ChangeLog
Tracker
Not available
Commits
Commit
Description
An integer overflow happens when using numbers with 9 or more decimals in calculation of expression, for example: /eval -n ${calc:0.123456789}.
Mitigation
There is no known mitigation.
The upgrade to the latest stable version is highly recommended.

WSA-2024-1: [Core, Plugins] Integer overflow in loops on lists.

Vulnerability
CVE
CVE-2024-46613 [ MITRE / NVD ]
CVSS vector
AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C (detail)
CVSS score
3.8 / 10
Severity
low
Vulnerability type
Integer Overflow or Wraparound (detail)
Scope
Core, Plugins
Affected versions
0.1.6 → 4.4.1
Fixed version
4.4.2 () - ChangeLog
Tracker
issue #2178
Commits
Commit Commit Commit Commit Commit
Description
An integer overflow can happen when looping over items in a list.
This can only happen in rare conditions on 32 and 64-bit systems, as the list must contain more than 2,147,483,647 elements.
On 16-bit systems, this happens with a list that contains more than 32,767 elements.
Mitigation
There is no known mitigation.
The upgrade to the latest stable version is highly recommended.
Credit
The issue was discovered by Yiheng Cao.

GitHub Mastodon X

Copyright © 2003-2026 Sébastien HelleuAbout WeeChat.org — Theme: light (dark)