WeeChat :: documentation

WeeChat

Security vulnerabilities in version 4.9.1

This page lists all known and fixed security vulnerabilities in version 4.9.1 (back to the list of all versions).

Overview: 6 vulnerabilities

WSA	Score	Issue	Vulnerability type	Scope	Versions	Fix	Release date
WSA-2026-8	5.5	Buffer overflow in dump of Relay data.	Out-of-bounds read	Relay	4.3.0 → 4.9.1	4.9.2	Jun 7, 2026
WSA-2026-7	7.5	Buffer overflow when receiving a line in a Xfer chat (DCC chat) buffer.	Out-of-bounds read	Xfer	1.3 → 4.9.1	4.9.2	Jun 7, 2026
WSA-2026-6	9.3	Write of DCC file received outside of configured download path.	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	Xfer	0.0.8 → 4.9.1	4.9.2	Jun 7, 2026
WSA-2026-5	6.2	Buffer overflow when receiving a DCC file.	Out-of-bounds read	IRC	4.1.0 → 4.9.1	4.9.2	Jun 7, 2026
WSA-2026-4	6.5	Missing size limit for the received websocket frame, HTTP message and HTTP body.	Memory Allocation with Excessive Size Value	Relay	0.3.7 → 4.9.1	4.9.2	Jun 7, 2026
WSA-2026-3	6.5	Missing size limit for the unterminated IRC message or isupport value (message 005).	Memory Allocation with Excessive Size Value	IRC	0.3.3 → 4.9.1	4.9.2	Jun 7, 2026

WSA-2026-8: [Relay] Buffer overflow in dump of Relay data.

Vulnerability

CVE

Not available

CVSS vector

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (detail)

CVSS score

5.5 / 10

Severity

medium

Vulnerability type

Out-of-bounds read (detail)

Scope

Relay

Affected versions

4.3.0 → 4.9.1

Fixed version

4.9.2 (Jun 7, 2026) - ChangeLog

Tracker

issue #2324

Commits

Description

When dumping Relay data with /debug dump or /debug dump relay, any HTTP request with path_items defined causes an out-of-bounds read.

Mitigation

Do not use command /debug dump.

Credit

The issue was discovered by aizu-m.

WSA-2026-7: [Xfer] Buffer overflow when receiving a line in a Xfer chat (DCC chat) buffer.

Vulnerability

CVE

Not available

CVSS vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)

CVSS score

7.5 / 10

Severity

high

Vulnerability type

Out-of-bounds read (detail)

Scope

Xfer

Affected versions

1.3 → 4.9.1

Fixed version

4.9.2 (Jun 7, 2026) - ChangeLog

Tracker

issue #2323

Commits

Description

An empty line received in Xfer chat (DCC chat) causes a read before the beginning of a buffer.
This can lead to a crash of WeeChat.

Mitigation

There is no known mitigation.
The upgrade to the latest stable version is highly recommended.

Credit

The issue was discovered by aizu-m.

WSA-2026-6: [Xfer] Write of DCC file received outside of configured download path.

Vulnerability

CVE

Not available

CVSS vector

AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H (detail)

CVSS score

9.3 / 10

Severity

critical

Vulnerability type

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (detail)

Scope

Xfer

Affected versions

0.0.8 → 4.9.1

Fixed version

4.9.2 (Jun 7, 2026) - ChangeLog

Tracker

issue #2321

Commits

Description

When receiving a DCC file, the filename built contains the remote nick (the option xfer.file.use_nick_in_filename is on by default).
If the nick contains special characters, the file could be written outside of the configured download path.
Xfer never overwrites existing files, so if a file exists with the same name, a suffix like ".1" is appended to the filename.

Mitigation

Turn off option to include nick in filename: /set xfer.file.use_nick_in_filename off.

Credit

The issue was discovered by aizu-m.

WSA-2026-5: [IRC] Buffer overflow when receiving a DCC file.

Vulnerability

CVE

Not available

CVSS vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:X/RL:O/RC:C (detail)

CVSS score

6.2 / 10

Severity

medium

Vulnerability type

Out-of-bounds read (detail)

Scope

IRC

Affected versions

4.1.0 → 4.9.1

Fixed version

4.9.2 (Jun 7, 2026) - ChangeLog

Tracker

issue #2322

Commits

Description

Buffer overflow when removing quotes in DCC filename.

Mitigation

There is no known mitigation.
The upgrade to the latest stable version is highly recommended.

Credit

The issue was discovered by aizu-m.

WSA-2026-4: [Relay] Missing size limit for the received websocket frame, HTTP message and HTTP body.

Vulnerability

CVE

Not available

CVSS vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (detail)

CVSS score

6.5 / 10

Severity

medium

Vulnerability type

Memory Allocation with Excessive Size Value (detail)

Scope

Relay

Affected versions

0.3.7 → 4.9.1

Fixed version

4.9.2 (Jun 7, 2026) - ChangeLog

Tracker

Not available

Commits

Description

When receiving part of websocket frame, HTTP message or HTTP body, the Relay plugin builds a partial buffer until the end of data is found.
There is no limit for the allocated buffer.
A malicious client sending large amount of data without end of websocket frame or HTTP message/body can lead to memory exhaustion and the WeeChat process can be killed by the OOM killer.

Mitigation

There are multiple ways to mitigate this issue:

Remove all relays, see: /help relay
Unload relay plugin with command: /plugin unload relay and see: /help weechat.plugin.autoload
Secure relay to allow only trusted IP addresses, see: /help relay.network.allowed_ips

WSA-2026-3: [IRC] Missing size limit for the unterminated IRC message or isupport value (message 005).

Vulnerability

CVE

Not available

CVSS vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (detail)

CVSS score

6.5 / 10

Severity

medium

Vulnerability type

Memory Allocation with Excessive Size Value (detail)

Scope

IRC

Affected versions

0.3.3 → 4.9.1

Fixed version

4.9.2 (Jun 7, 2026) - ChangeLog

Tracker

Not available

Commits

Description

When receiving data on the socket, the IRC plugin builds a partial message until "\r\n" is found.
There is no limit for the allocated message.
A malicious server sending large amount of data without end of message ("\r\n") can lead to memory exhaustion and the WeeChat process can be killed by the OOM killer.

Mitigation

There is no known mitigation.
The upgrade to the latest stable version is highly recommended.