CVE-2024-34712

MEDIUM

NPM Oceanic.js < 1.10.4 - Path Traversal

Title source: rule

Description

Oceanic is a NodeJS library for interfacing with Discord. Prior to version 1.10.4, input to functions such as `Client.rest.channels.removeBan` is not url-encoded, resulting in specially crafted input such as `../../../channels/{id}` being normalized into the url `/api/v10/channels/{id}`, and deleting a channel rather than removing a ban. Version 1.10.4 fixes this issue. Some workarounds are available. One may sanitize user input, ensuring strings are valid for the purpose they are being used for. One may also encode input with `encodeURIComponent` before providing it to the library.

References (2)

[Vendor Advisory] https://github.com/OceanicJS/Oceanic/security/advisories/GHSA-5h5v-hw44-f6gg

[Patch] https://github.com/OceanicJS/Oceanic/commit/8bf8ee8373b8c565fbdbf70a609aba4fbc1a1ffe

View Patch ZIP pw:eip

Scores

CVSS v3 6.5

EPSS 0.0023

EPSS Percentile 46.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22 CWE-23

Status published

Products (2)

npm/oceanic.js 0 - 1.10.4npm

OceanicJS/Oceanic < 1.10.4

Published May 14, 2024

Tracked Since Feb 18, 2026