Skip to main content

Baileys CVE-2026-48063

CRITICAL
Authentication Bypass by Spoofing (CWE-290)
2026-06-10 https://github.com/WhiskeySockets/Baileys GHSA-qvv5-jq5g-4cgg
Authentication Bypass
Share

Severity by source

vuln.today AI
8.2 HIGH

Crafted protocolMessage is delivered over the WhatsApp network with no auth or interaction (AV:N/AC:L/PR:N/UI:N); primary impact is integrity (I:H) via spoofing, partial availability via app-state jamming (A:L), no confidentiality loss (C:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 10, 2026 - 20:00 vuln.today
Analysis Generated
Jun 10, 2026 - 20:00 vuln.today

DescriptionCVE.org

Impact

Any baileys session under the latest version (< 7.0.0-rc12, and < 6.7.22) can be sent a malicious payload via the placeholderResendMessage and trigger a fake messages.upsert event with a fake message key and payload. This allows anyone to spoof messages. The same exploit also allows an attacker to corrupt the app state sync system by sending fake key shares, and also allows for history sync spoofing which also serves the same problem, injecting fake previous context or "on-demand" sync.

Patches

https://github.com/WhiskeySockets/Baileys/commit/3beb08eecfcb4e65722e674034bd84fb11a9de35 This commit has patched the issue, and a version tag has been released under 7.0.0 (6.7.22) for those still on Baileys v6. A new Baileys version, v7.0.0-rc12, has been released to remediate this.

Workarounds

There are no real workarounds other than dropping messages.upsert events that contain a requestId field, turning off automatic history sync (shouldSyncHistoryMessage: () => false) in socket config. There are no workarounds for the app state sync jamming.

AnalysisAI

Message spoofing and app state corruption in Baileys WhatsApp library (versions < 6.7.22 and < 7.0.0-rc12) allow remote attackers to forge messages.upsert events, inject history sync data, and jam the app state sync system by sending crafted protocolMessage payloads via placeholderResendMessage. The flaw stems from missing self-origin checks on protocol message types that should only originate from the user's own device. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify target Baileys session WhatsApp ID
Delivery
Craft malicious protocolMessage with self-only type
Exploit
Send via placeholderResendMessage path
Install
Bypass missing fromMe check in processMessage
C2
Trigger fake messages.upsert or app-state key share
Execute
Spoof messages or corrupt sync state
Impact
Manipulate downstream bot logic or jam device
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to be able to send a WhatsApp protocolMessage of type HISTORY_SYNC_NOTIFICATION, APP_STATE_SYNC_KEY_SHARE, LID_MIGRATION_MAPPING_SYNC, or PEER_DATA_OPERATION_REQUEST_RESPONSE_MESSAGE to a target Baileys session running an unpatched version (< 6.7.22 on v6, or >= 7.0.0-rc.1 and < 7.0.0-rc12 on v7); the payload is delivered via the placeholderResendMessage path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS or EPSS was provided in the input and the issue is not on the CISA KEV list, so risk must be assessed from the description and patch. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who knows or can reach a Baileys-powered bot's WhatsApp number sends a crafted protocolMessage via placeholderResendMessage carrying a forged HISTORY_SYNC_NOTIFICATION or APP_STATE_SYNC_KEY_SHARE; the bot's processMessage dispatches a messages.upsert event with an attacker-chosen key and body, so downstream application logic (support workflows, payment bots, moderation pipelines) acts on spoofed messages attributed to other users or to the operator's own device. The same primitive can be repeated to inject fake history sync context or to poison app-state key shares and freeze the device's state sync.
Remediation Vendor-released patch: upgrade to Baileys 6.7.22 on the v6 line or 7.0.0-rc12 on the v7 line, both of which incorporate commit 3beb08eecfcb4e65722e674034bd84fb11a9de35 that drops self-only protocolMessage types when message.key.fromMe is false (see https://github.com/WhiskeySockets/Baileys/security/advisories/GHSA-qvv5-jq5g-4cgg). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all systems, applications, and development projects using Baileys library. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48063 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy