CVE-2016-2087 Hexchat Project CVE debrief

Who should care

Organizations and individuals running HexChat 2.11.0, especially environments where IRC servers or server names may be influenced by untrusted parties. Security teams should treat this as a client-side file integrity and confidentiality risk.

Technical summary

The official NVD record maps this issue to CWE-22 (path traversal) and marks HexChat 2.11.0 as vulnerable. The flaw is triggered through the IRC server name containing "..", which can cause the client to access paths outside the expected directory. The reported impact is high confidentiality and integrity impact, with no direct availability impact in the supplied CVSS vector.

Defensive priority

High. This is network-reachable, requires no privileges, and has no user interaction per the CVSS vector in NVD, so affected deployments should be reviewed promptly for exposure and version state.

Recommended defensive actions

• Confirm whether HexChat 2.11.0 is deployed in your environment.
• Upgrade or replace affected HexChat installations with a fixed version if available from the vendor.
• Restrict use of untrusted IRC servers and review any configurations that accept externally controlled server names.
• Monitor client-side file access behavior for unexpected reads or writes associated with IRC connection setup.
• Treat third-party exploit writeups as confirmation that the issue was publicly analyzed, but rely on vendor/NVD guidance for remediation status.

Evidence notes

Source corpus states: "Directory traversal vulnerability in the client in HexChat 2.11.0 allows remote IRC servers to read or modify arbitrary files via a .. (dot dot) in the server name." NVD metadata lists affected CPE cpe:2.3:a:hexchat_project:hexchat:2.11.0:*:*:*:*:*:*:* and weakness CWE-22. CVSS vector is CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, severity HIGH. The supplied references include NVD/CVE records plus third-party exploit/advisory links; no vendor fix URL was included in the corpus.

Official resources