CVE-2024-34712 Information
Description
Oceanic is a NodeJS library for interfacing with Discord. Prior to version 1.10.4 input to functions such as Client.rest.channels.removeBan is not url-encoded resulting in specially crafted input such as ../../../channels/id being normalized into the url /api/v10/channels/id and deleting a channel rather than removing a ban. Version 1.10.4 fixes this issue. Some workarounds are available. One may sanitize user input ensuring strings are valid for the purpose they are being used for. One may also encode input with encodeURIComponent before providing it to the library.
Reference
https://github.com/OceanicJS/Oceanic/security/advisories/GHSA-5h5v-hw44-f6gg
https://github.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe
Oceanic
is
a
NodeJS
library
for
interfacing
with
Discord.
Prior
to
version
1.10.4
input
to
functions
such
as
Client.rest.channels.removeBan
is
not
url-encoded
resulting
in
specially
crafted
input
such
as
../../../channels/{id}
being
normalized
into
the
url
/api/v10/channels/{id}
and
deleting
a
channel
rather
than
removing
a
ban.
Version
1.10.4
fixes
this
issue.
Some
workarounds
are
available.
One
may
sanitize
user
input
ensuring
strings
are
valid
for
the
purpose
they
are
being
used
for.
One
may
also
encode
input
with
encodeURIComponent
before
providing
it
to
the
library.