[NPM:GHSA-5H5V-HW44-F6GG] Oceanic allows unsanitized user input to lead to path traversal in URLs

Severity Moderate
Affected Packages 1
Fixed Packages 1
CVEs 1

Impact

Input to functions such as Client.rest.channels.removeBan is not url-encoded, resulting in specially crafted input such as ../../../channels/{id} being normalized into the url /api/v10/channels/{id}, and deleting a channel rather than removing a ban.

Workarounds

  • Sanitizing user input, ensuring strings are valid for the purpose they are being used for.
  • Encoding input with encodeURIComponent before providing it to the library.

References

OceanicJS/Oceanic@8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe

Package Affected Version
pkg:npm/oceanic.js < 1.10.4
Package Fixed Version
pkg:npm/oceanic.js = 1.10.4
ID
NPM:GHSA-5H5V-HW44-F6GG
Severity
moderate
URL
https://github.com/advisories/GHSA-5h5v-hw44-f6gg
Published
2024-05-14T20:13:58
(8 days ago)
Modified
2024-05-14T20:14:00
(8 days ago)
Rights
NPM Security Team
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:npm/oceanic.js oceanic.js < 1.10.4
Fixed pkg:npm/oceanic.js oceanic.js = 1.10.4
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date
Loading...