Baileys (WhatsApp library) message spoofing and app state corruption via malicious protocolMessage payload

critical-cve-against-dependency · active

The Baileys npm library (a WhatsApp Web API client) is vulnerable to message spoofing, history sync spoofing, and app state sync corruption when sent a maliciously crafted protocolMessage payload. Anyone can spoof messages.upsert events with fake keys and payloads. Fixed in 7.0.0-rc12 and 6.7.22.

Affected packages

• npmbaileysupgrade to ≥ 7.0.0-rc12

Sources

• ghsahttps://github.com/advisories/GHSA-qvv5-jq5g-4cgg
• ghsahttps://github.com/WhiskeySockets/Baileys/security/advisories/GHSA-qvv5-jq5g-4cgg
• ghsahttps://github.com/WhiskeySockets/Baileys/commit/3beb08eecfcb4e65722e674034bd84fb11a9de35