N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-93fv-4pm9-xp28

GHSA-93fv-4pm9-xp28: JDA (Java Discord API) downloads external URLs when updating message components

Impact

Anyone using untrusted message components may be affected. On versions >=6.0.0,<6.1.3 of JDA, the requester will attempt to download external media URLs from components if they are used in an update or send request.

If you are used Message#getComponents or similar to get a list of components and then send those components with sendMessageComponents or other methods, you might unintentionally download media from an external URL in the resolved media of a Thumbnail, FileDisplay, or MediaGallery.

Patches

This bug has been fixed in 6.1.3, and we recommend updating.

Workarounds

Avoid sending components from untrusted messages or update to version 6.1.3.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-93fv-4pm9-xp28

GHSA-93fv-4pm9-xp28:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
net.dv8tion:JDA	maven	>= 6.0.0, < 6.1.3	6.1.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in how JDA handles media URLs in message components. When a message component containing media (like a thumbnail, file display, or media gallery) is resent or updated, JDA would attempt to download the media from the URL specified in the component. The vulnerability lies in the getFilesFromMedia function within ComponentsUtil, which, before the patch, would download content from any URL provided in a ResolvedMedia object without verifying if it was a legitimate Discord attachment. An attacker could craft a message with a component pointing to an external, malicious URL. When a bot using the vulnerable JDA version processes this component (e.g., by using Message#getComponents and then resending them), JDA would make a request to the malicious URL, leading to a Server-Side Request Forgery (SSRF) vulnerability. The patch fixes this by adding a check (media.getAttachmentId() != null) to ensure that only media from Discord attachments are downloaded. The toData methods in FileDisplayImpl, MediaGalleryItemImpl, and ThumbnailImpl were also patched to use a new utility method (ComponentsUtil.getMediaUrl) that correctly handles media URLs, preventing the inclusion of external URLs in the component data sent to Discord's API.

Vulnerable functions

net.dv8tion.jda.internal.components.utils.ComponentsUtil.getFilesFromMedia

src/main/java/net/dv8tion/jda/internal/components/utils/ComponentsUtil.java

This function was responsible for downloading media files. Before the patch, it would download from any URL provided in the `ResolvedMedia` object, without verifying if it was a Discord attachment. This allowed an attacker to specify an external URL, causing the server to make a request to that URL (SSRF). The patch added a check for `media.getAttachmentId() != null` to ensure only Discord attachments are downloaded.

net.dv8tion.jda.internal.components.filedisplay.FileDisplayImpl.toData

src/main/java/net/dv8tion/jda/internal/components/filedisplay/FileDisplayImpl.java

This function prepares the data for a file display component. The vulnerable version would construct a URL that could be an external URL if provided in the `ResolvedMedia` object. This data would then be processed, leading to the SSRF in `getFilesFromMedia`. The patch delegates URL generation to the new `ComponentsUtil.getMediaUrl` function, which contains the fix.

net.dv8tion.jda.internal.components.mediagallery.MediaGalleryItemImpl.toData

src/main/java/net/dv8tion/jda/internal/components/mediagallery/MediaGalleryItemImpl.java

Similar to `FileDisplayImpl.toData`, this function prepares the data for a media gallery item. The vulnerable version could include an external URL, contributing to the SSRF vulnerability. The patch uses the new safe `ComponentsUtil.getMediaUrl` function.

net.dv8tion.jda.internal.components.thumbnail.ThumbnailImpl.toData

src/main/java/net/dv8tion/jda/internal/components/thumbnail/ThumbnailImpl.java

This function prepares the data for a thumbnail component. The vulnerable version could include an external URL, which would then be downloaded by the application, leading to an SSRF. The patch fixes this by using the new safe `ComponentsUtil.getMediaUrl` function.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-93fv-4pm9-xp28: JDA (Java Discord API) downloads external URLs when updating message components

Impact

Patches

Workarounds

GHSA-93fv-4pm9-xp28:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

GHSA-93fv-4pm9-xp28: JDA (Java Discord API) downloads external URLs when updating message components

Impact

Patches

Workarounds

Technical Details

N/A

N/A

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI