Skip to content

Unsanitized user input can lead to path traversal in URLs

Moderate
DonovanDMC published GHSA-5h5v-hw44-f6gg May 14, 2024

Package

npm oceanic.js (npm)

Affected versions

< 1.10.4

Patched versions

1.10.4

Description

Impact

Input to functions such as Client.rest.channels.removeBan is not url-encoded, resulting in specially crafted input such as ../../../channels/{id} being normalized into the url /api/v10/channels/{id}, and deleting a channel rather than removing a ban.

Workarounds

  • Sanitizing user input, ensuring strings are valid for the purpose they are being used for.
  • Encoding input with encodeURIComponent before providing it to the library.

References

8bf8ee8

Severity

Moderate

CVE ID

CVE-2024-34712

Weaknesses

Credits