CVE-2026-48063

描述

### Impact Any baileys session under the latest version (< 7.0.0-rc12, and < 6.7.22) can be sent a malicious payload via the placeholderResendMessage and trigger a fake `messages.upsert` event with a **fake message key and payload**. This allows anyone to spoof messages. The same exploit also allows an attacker to corrupt the app state sync system by sending fake key shares, and also allows for history sync spoofing which also serves the same problem, injecting fake previous context or "on-demand" sync. ### Patches https://github.com/WhiskeySockets/Baileys/commit/3beb08eecfcb4e65722e674034bd84fb11a9de35 This commit has patched the issue, and a version tag has been released under 7.0.0 (6.7.22) for those still on Baileys v6. A new Baileys version, v7.0.0-rc12, has been released to remediate this. ### Workarounds There are no real workarounds other than dropping `messages.upsert `events that contain a `requestId` field, turning off automatic history sync (`shouldSyncHistoryMessage: () => false`) in socket config. There are no workarounds for the app state sync jamming.

如何修補 CVE-2026-48063

要修補 CVE-2026-48063,請將受影響套件升級到下列已修補版本。

• —升級至 6.7.22 或更新版本
• —升級至 6.7.22 或更新版本

CVE-2026-48063 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-48063 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(2)

• from 0, < 6.7.22
• from 0, < 6.7.22

CVSS 分數

參考連結(3)

• PATCHgithub.com/WhiskeySockets/Baileys
• WEBgithub.com/WhiskeySockets/Baileys/commit/3beb08eecfcb4e65722e674034bd84fb11a9de35
• WEBgithub.com/WhiskeySockets/Baileys/security/advisories/GHSA-qvv5-jq5g-4cgg