Miggo Logo
Miggo Vulnerability Database
CVE-2024-34712

CVE-2024-34712: Oceanic allows unsanitized user input to lead to path traversal in URLs

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-34712
GHSA ID
GHSA-5h5v-hw44-f6gg
EPSS Score
0.46183%
CWE
CWE-22
Published
5/14/2024
Updated
5/14/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
oceanic.jsnpm< 1.10.41.10.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from route generation functions that directly interpolated user input into URL paths without URI encoding. The commit diff shows these functions were modified to use a new encode() wrapper that applies encodeURIComponent. The example in the advisory (Client.rest.channels.removeBan) maps to the GUILD_BAN route, while other modified routes like CHANNEL and GUILD_MEMBER share the same vulnerable pattern. All affected functions in Routes.ts that were patched to use encode() were previously vulnerable to path traversal via unencoded parameters.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Input to *un*tions su** *s `*li*nt.r*st.***nn*ls.r*mov***n` is not url-*n*o***, r*sultin* in sp**i*lly *r**t** input su** *s `../../../***nn*ls/{i*}` **in* norm*liz** into t** url `/*pi/v**/***nn*ls/{i*}`, *n* **l*tin* * ***nn*l r*t**r t**

Reasoning

T** vuln*r**ility st*ms *rom rout* **n*r*tion *un*tions t**t *ir**tly int*rpol*t** us*r input into URL p*t*s wit*out URI *n*o*in*. T** *ommit *i** s*ows t**s* *un*tions w*r* mo*i*i** to us* * n*w *n*o**() wr*pp*r t**t *ppli*s *n*o**URI*ompon*nt. T**