Report a security issue

Please DO NOT file a GitHub issue for security related problems, but send an email to security@weechat.org instead.

Security vulnerabilities

This table contains a list of all known and fixed security vulnerabilities in WeeChat stable releases (the security vulnerabilities introduced during development of a version and fixed before stable release are not mentioned).

Note: you can be warned about security vulnerabilities by subscribing to this mailing list: weechat-security >>
External link / Tracker Severity Affected versions Fixed in version Release date Git Description / Workaround
- medium 0.3.8 → 0.4.0 0.4.1 May 20, 2013 * Uncontrolled format string when IRC commands are redirected by relay plugin. If the output or redirected command contains formatting chars like "%", this can lead to a crash of WeeChat.
> Workaround:
Do not use irc protocol in relay plugin.
- low 0.3.0 → 0.4.0 0.4.1 May 20, 2013 * Uncontrolled format string when sending unknown IRC command to server (if option "irc.network.send_unknown_commands" is on).
> Workaround:
Turn off option "irc.network.send_unknown_commands" or do not use formatting chars like "%" when sending unknown commands to server.
- low 0.3.6 → 0.4.0 0.4.1 May 20, 2013 * Uncontrolled format string when sending IRC "ison" command for nicks monitored with command /notify.
> Workaround:
Do not use command /notify with nicks containing formatting chars like "%".
bug #37764
critical 0.3.0 → Nov 18, 2012 * Untrusted command for function hook_process could lead to execution of commands, because of shell expansions (so the problem is only caused by some scripts, not by WeeChat itself).
> Workaround:
Remove/unload all scripts calling function hook_process (for maximum safety).
bug #37704
high 0.3.6 → 0.3.9 Nov 9, 2012 * Buffer overflow when decoding IRC colors in strings.
> Workaround:
/set irc.network.colors_receive off
patch #7459
medium 0.1.3 → 0.3.4 0.3.5 May 15, 2011 * Missing verifications in SSL certificate, which allows man-in-the-middle attackers to spoof an SSL chat server via an arbitrary certificate.
> There is no workaround.
bug #25862
high 0.2.6 Mar 14, 2009 * Crash when receiving special chars in IRC messages.
> There is no workaround.
- low 0.0.5 → 0.1.6 0.1.7 Jan 14, 2006 * * Uncontrolled format string in API function infobar_printf.
> There is no workaround.
- low 0.0.1 → 0.0.4 0.0.5 Feb 7, 2004 * Buffer overflows in build of strings.
> There is no workaround.
Security vulnerabilities are classified using 4 severity levels:
  • low: local problem which occurs in very specific conditions, low impact. Upgrade is not mandatory.
  • medium: problem affecting a specific feature. Upgrade is recommended at least for people using the feature.
  • high: severe problem. Upgrade is highly recommended.
  • critical: critical problem, risk of damage on your system. You MUST upgrade immediately!