CVE-2024-39691: 
JavaScript vulnerability analysis and mitigation

matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. The vulnerability (CVE-2024-39691) was discovered in versions before 2.0.1, where a malicious Matrix homeserver could potentially leak truncated message content of messages it shouldn't have access to. This vulnerability was related to the fix for CVE-2024-32000 included in matrix-appservice-irc 2.0.0, which incorrectly relied on homeserver-provided timestamps for access control (GitHub Advisory).

The vulnerability stems from the bridge's reliance on the Matrix homeserver-provided timestamp (origin_server_ts) to determine whether a user has access to events they're replying to. Since this value is controlled by external entities, a malicious Matrix homeserver could fabricate the timestamp to trick the bridge into leaking room messages it should not have access to. The issue has a CVSS v3.1 Base Score of 4.3 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (GitHub Advisory).

A malicious Matrix homeserver joined to a room with a vulnerable matrix-appservice-irc bridge instance could potentially access truncated versions of room messages it should not have access to (GitHub Advisory).

The issue has been patched in matrix-appservice-irc version 2.0.1, which drops the reliance on origin_server_ts and instead tracks event timestamps internally. As a workaround, administrators can limit the amount of information leaked by setting a reply template that doesn't contain the original message (GitHub Advisory).