CVE-2025-27146
LOWCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3Description
matrix-appservice-irc is a Node.js IRC bridge for Matrix. The matrix-appservice-irc bridge up to version 3.0.3 contains a vulnerability which can lead to arbitrary IRC command execution as the puppeted user. The attacker can only inject commands executed as their own IRC user. The vulnerability has been patched in matrix-appservice-irc version 3.0.4.
Analysis
matrix-appservice-irc is a Node.js IRC bridge for Matrix. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.
Technical Context
This vulnerability is classified as Command Injection (CWE-77), which allows attackers to inject arbitrary commands into system command execution. matrix-appservice-irc is a Node.js IRC bridge for Matrix. The matrix-appservice-irc bridge up to version 3.0.3 contains a vulnerability which can lead to arbitrary IRC command execution as the puppeted user. The attacker can only inject commands executed as their own IRC user. The vulnerability has been patched in matrix-appservice-irc version 3.0.4. Affected products include: Matrix Matrix Irc Bridge. Version information: version 3.0.3.
Affected Products
Matrix Matrix Irc Bridge.
Remediation
A vendor patch is available. Apply the latest security update as soon as possible. Use parameterized APIs, avoid shell execution, validate input with strict allowlists.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today