InspIRCd Security Advisory 2020-02


The websocket module before v3.8.1 contains a double free vulnerability. When combined with a HTTP reverse proxy this vulnerability can be used by any user who is [GKZ]-lined to remotely crash an InspIRCd server.

Thanks to @benharri for reporting this issue.

Affected Versions

This vulnerability is present in the following releases:

This vulnerability is fixed in version 3.8.1. It is strongly recommended that all affected users upgrade.

If upgrading is not possible then the websocket module should be unloaded or reconfigured to allow users to connect directly instead of through a HTTP reverse proxy.