Weechat

v4.9.1 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 3d Editors & IDEs

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

c chat client extensible irc javascript

+8 more

lua perl php python ruby scheme scripting tcl

Affected surfaces

auth rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 3d

Version v4.9.1 of Weechat introduces critical security fixes for timing attacks and memory‑exhaustion vulnerabilities in the relay module, plus several bug corrections.

Why it matters: Patches address high‑severity (90) timing attacks on password and TOTP authentication and limit decompressed WebSocket frame size to prevent memory exhaustion; all users of the relay module should upgrade immediately.

Summary

AI summary

Updates relay, https://github.com/weechat/weechat/security/advisories/GHSA-vhv8-g2r9-cwcc, and core across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Critical	Limits decompressed WebSocket frame size to prevent memory exhaustion Limits decompressed WebSocket frame size to prevent memory exhaustion Source: llm_adapter@2026-05-31 Confidence: high	—
Security	Critical	Fixes timing attack on password authentication in relay module Fixes timing attack on password authentication in relay module Source: llm_adapter@2026-05-31 Confidence: high	—
Security	Critical	Fixes timing attack on TOTP validation in API and relay modules Fixes timing attack on TOTP validation in API and relay modules Source: llm_adapter@2026-05-31 Confidence: high	—
Bugfix	Medium	Applies weechat.look.color_real_white option correctly on 16+ color terminals when value is "white" Applies weechat.look.color_real_white option correctly on 16+ color terminals when value is "white" Source: llm_adapter@2026-05-31 Confidence: high	—
Bugfix	Medium	Corrects tag handling in IRC messages with name lists during channel joins Corrects tag handling in IRC messages with name lists during channel joins Source: llm_adapter@2026-05-31 Confidence: high	—

Full changelog

Fixed

core: fix option weechat.look.color_real_white not applied when color is "white" on 16+ colors terminals (#1742)
irc: fix tag in message with list of names when joining a channel
relay: limit size of decompressed websocket frame with permessage-deflate to prevent memory exhaustion (GHSA-v2v4-45wm-5cr3)
relay: fix timing attack on password authentication (GHSA-vhv8-g2r9-cwcc)
api, relay: fix timing attack on TOTP validation (GHSA-vhv8-g2r9-cwcc)

Download

https://weechat.org/download/weechat/4.9.1/

Security Fixes

GHSA-v2v4-45wm-5cr3 — limit decompressed websocket frame size in relay to prevent memory exhaustion
GHSA-vhv8-g2r9-cwcc — fix timing attack on password authentication and TOTP validation for relay and API

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Weechat

Get notified when new releases ship.

About Weechat

Fast, light and extensible chat client.

All releases →