VYPR
Medium severity6.5OSV Advisory· Published May 14, 2024· Updated Apr 15, 2026

CVE-2024-34712

CVE-2024-34712

Description

Oceanic is a NodeJS library for interfacing with Discord. Prior to version 1.10.4, input to functions such as Client.rest.channels.removeBan is not url-encoded, resulting in specially crafted input such as ../../../channels/{id} being normalized into the url /api/v10/channels/{id}, and deleting a channel rather than removing a ban. Version 1.10.4 fixes this issue. Some workarounds are available. One may sanitize user input, ensuring strings are valid for the purpose they are being used for. One may also encode input with encodeURIComponent before providing it to the library.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
oceanic.jsnpm
< 1.10.41.10.4

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.