Intel

AIKIDO-2026-313817

line-bot-api is vulnerable to Path Traversal

Path Traversal Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 24, 2026

59

Medium Risk

This Affects:

RUBYline-bot-api
2.0.0 - 2.8.0
Fixed in 2.8.1
Are you affected? Scan for Free

TL;DR

The generated v2 API clients build request paths by interpolating path parameters directly into URL templates using gsub and to_s, without encoding or validation. When an application forwards attacker-influenced values such as a user ID, message ID, rich menu ID, or audience group ID into these calls, . or .. segments in the value can alter the resolved endpoint and reroute the request to a different LINE Messaging API route while still using the configured channel access token. This confused-deputy behavior can expose data from unintended endpoints reached with the bot's privileged token. The fix centralizes substitution in a Utils.build_path helper that percent-encodes path parameters and rejects dot-segment path traversal.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application passes attacker-controlled values into API path parameters.

Background info

line-bot-api is vulnerable to Path Traversal in versions 2.0.0 - 2.8.0.

How to fix this

Upgrade the line-bot-api library to the patch version.