GHSA-qvv5-jq5g-4cgg

Suggest an improvement
Source
https://github.com/advisories/GHSA-qvv5-jq5g-4cgg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-qvv5-jq5g-4cgg/GHSA-qvv5-jq5g-4cgg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qvv5-jq5g-4cgg
Aliases
  • CVE-2026-48063
Downstream
Published
2026-06-10T19:33:20Z
Modified
2026-06-10T19:45:08.203669125Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload
Details

Impact

Any baileys session under the latest version (< 7.0.0-rc12, and < 6.7.22) can be sent a malicious payload via the placeholderResendMessage and trigger a fake messages.upsert event with a fake message key and payload. This allows anyone to spoof messages. The same exploit also allows an attacker to corrupt the app state sync system by sending fake key shares, and also allows for history sync spoofing which also serves the same problem, injecting fake previous context or "on-demand" sync.

Patches

https://github.com/WhiskeySockets/Baileys/commit/3beb08eecfcb4e65722e674034bd84fb11a9de35 This commit has patched the issue, and a version tag has been released under 7.0.0 (6.7.22) for those still on Baileys v6. A new Baileys version, v7.0.0-rc12, has been released to remediate this.

Workarounds

There are no real workarounds other than dropping messages.upsertevents that contain a requestId field, turning off automatic history sync (shouldSyncHistoryMessage: () => false) in socket config. There are no workarounds for the app state sync jamming.

Database specific
{
    "github_reviewed_at": "2026-06-10T19:33:20Z",
    "nvd_published_at": null,
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-290",
        "CWE-345",
        "CWE-346"
    ],
    "severity": "CRITICAL"
}
References

Affected packages

npm / baileys

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.7.22

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-qvv5-jq5g-4cgg/GHSA-qvv5-jq5g-4cgg.json"

npm / @whiskeysockets/baileys

Package

Name
@whiskeysockets/baileys
View open source insights on deps.dev
Purl
pkg:npm/%40whiskeysockets%2Fbaileys

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.7.22

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-qvv5-jq5g-4cgg/GHSA-qvv5-jq5g-4cgg.json"

npm / baileys

Package

Affected ranges

Type
SEMVER
Events
Introduced
7.0.0-rc.1
Fixed
7.0.0-rc12

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-qvv5-jq5g-4cgg/GHSA-qvv5-jq5g-4cgg.json"

npm / @whiskeysockets/baileys

Package

Name
@whiskeysockets/baileys
View open source insights on deps.dev
Purl
pkg:npm/%40whiskeysockets%2Fbaileys

Affected ranges

Type
SEMVER
Events
Introduced
7.0.0-rc.1
Fixed
7.0.0-rc12

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-qvv5-jq5g-4cgg/GHSA-qvv5-jq5g-4cgg.json"