Impact

Input to functions such as Client.rest.channels.removeBan is not url-encoded, resulting in specially crafted input such as ../../../channels/{id} being normalized into the url /api/v10/channels/{id}, and deleting a channel rather than removing a ban.

Workarounds

• Sanitizing user input, ensuring strings are valid for the purpose they are being used for.
• Encoding input with encodeURIComponent before providing it to the library.

References

8bf8ee8