Medium severity6.5NVD Advisory· Published May 14, 2024· Updated Apr 15, 2026

CVE-2024-34712

Description

Oceanic is a NodeJS library for interfacing with Discord. Prior to version 1.10.4, input to functions such as Client.rest.channels.removeBan is not url-encoded, resulting in specially crafted input such as ../../../channels/{id} being normalized into the url /api/v10/channels/{id}, and deleting a channel rather than removing a ban. Version 1.10.4 fixes this issue. Some workarounds are available. One may sanitize user input, ensuring strings are valid for the purpose they are being used for. One may also encode input with encodeURIComponent before providing it to the library.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
oceanic.jsnpm	< 1.10.4	1.10.4

Patches

8bf8ee8373b8

https://github.com/oceanicjs/oceanicvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000