Mellium

mellium.im / cve / cve-2024-46957

CVE-2024-46957

Affected components:
  • mellium.im/xmpp
Affected versions:
  • v0.0.1
  • v0.1.0
  • v0.2.0
  • v0.3.0
  • v0.4.0
  • v0.5.0
  • v0.6.0
  • v0.7.0
  • v0.7.1
  • v0.7.2
  • v0.8.0
  • v0.9.0
  • v0.10.0
  • v0.11.0
  • v0.11.1
  • v0.12.0
  • v0.13.0
  • v0.14.0
  • v0.15.0
  • v0.16.0
  • v0.17.0
  • v0.17.1
  • v0.18.0
  • v0.19.0
  • v0.20.0
  • v0.21.0
  • v0.21.2
  • v0.21.3
  • v0.21.4
Fixed in:
    v0.22.0
Assigned CVE:
CVE-2024-46957

Versions of mellium.im/xmpp prior to v0.22.0 matched IQ and other stanza responses by ID without checking the stanza type. This means that a presence stanza with the same ID as an IQ stanza could have its body handed to the IQ handler as if it were a response to the IQ.

If combined with incorrectly generated predictable IDs and handlers that do not verify the IQ type themselves this could lead to a malicious actor being able to bypass server safety checks and respond to IQs that were sent to other clients or the server by sending a message or presence that would not be rejected by the server in the same way an IQ of type “result” or “error” would be.

The default ID generation in mellium.im/xmpp is believed to be immune to this problem. If you are generating your own IDs it is important to ensure that they are unpredictable.