Headline
GHSA-93fv-4pm9-xp28: JDA (Java Discord API) downloads external URLs when updating message components
Impact
Anyone using untrusted message components may be affected. On versions >=6.0.0,<6.1.3 of JDA, the requester will attempt to download external media URLs from components if they are used in an update or send request.
If you are used Message#getComponents or similar to get a list of components and then send those components with sendMessageComponents or other methods, you might unintentionally download media from an external URL in the resolved media of a Thumbnail, FileDisplay, or MediaGallery.
Patches
This bug has been fixed in 6.1.3, and we recommend updating.
Workarounds
Avoid sending components from untrusted messages or update to version 6.1.3.
Impact
Anyone using untrusted message components may be affected. On versions >=6.0.0,<6.1.3 of JDA, the requester will attempt to download external media URLs from components if they are used in an update or send request.
If you are used Message#getComponents or similar to get a list of components and then send those components with sendMessageComponents or other methods, you might unintentionally download media from an external URL in the resolved media of a Thumbnail, FileDisplay, or MediaGallery.
Patches
This bug has been fixed in 6.1.3, and we recommend updating.
Workarounds
Avoid sending components from untrusted messages or update to version 6.1.3.
References
- GHSA-93fv-4pm9-xp28
- discord-jda/JDA@bb6d2ce