js · baileysCritical
baileys: Message spoofing via placeholderResendMessage
A security vulnerability in baileys allows malicious payloads via placeholderResendMessage to spoof messages, corrupt app state sync, and spoof history sync.
What changed
A security vulnerability in baileys allows malicious payloads via placeholderResendMessage to spoof messages, corrupt app state sync, and spoof history sync.
Who it affects
All baileys sessions under versions < 7.0.0-rc12 and < 6.7.22.
What to do today
Update to version 7.0.0-rc12 or 6.7.22 immediately, or apply workarounds: drop messages.upsert events with requestId field and disable automatic history sync.
The trail
Collected→
Audited→
Written→
Published