CVE-2022-24849

MEDIUM

DisCatSharp 9.8.5-9.9.0 - Unauthenticated Exposure of Sensitive Information via Developer Attribute

Title source: llm

Description

DisCatSharp is a Discord API wrapper for .NET. Users of versions 9.8.5, 9.8.6, 9.9.0 and previously published prereleases of 10.0.0 who have used either one of the two `RequireDisCatSharpDeveloperAttribute`s or the `BaseDiscordClient.LibraryDeveloperTeam` have potentially had their bot token sent to a web server not affiliated with Discord. This server is owned and operated by DisCatSharp's development team. The tokens were not logged, yet it is still advisable to reset the tokens of potentially affected bots. 9.9.1 has been released to patch the issue for the current stable release and the current 10.0.0 prereleases are also no longer affected. Users unable to upgrade should remove all uses of the two `RequireDisCatSharpDeveloperAttribute`s and all direct calls to `BaseDiscordClient.LibraryDeveloperTeam`.

References (1)

Core 1

Core References

Mitigation, Third Party Advisory x_refsource_confirm

https://github.com/Aiko-IT-Systems/DisCatSharp/security/advisories/GHSA-frxg-hf44-q765

Scores

CVSS v3 6.5

EPSS 0.0031

EPSS Percentile 54.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (2)

aitsys/discatsharp 9.8.5 - 9.9.1

nuget/DisCatSharp 9.8.5 - 9.9.1NuGet

Published Apr 14, 2022

Tracked Since Feb 18, 2026