line-bot-api is vulnerable to Path Traversal
59
Medium Risk
The generated v2 API clients build request paths by interpolating path parameters directly into URL templates using gsub and to_s, without encoding or validation. When an application forwards attacker-influenced values such as a user ID, message ID, rich menu ID, or audience group ID into these calls, . or .. segments in the value can alter the resolved endpoint and reroute the request to a different LINE Messaging API route while still using the configured channel access token. This confused-deputy behavior can expose data from unintended endpoints reached with the bot's privileged token. The fix centralizes substitution in a Utils.build_path helper that percent-encodes path parameters and rejects dot-segment path traversal.
You are affected if you are using a version that falls within the vulnerable range and your application passes attacker-controlled values into API path parameters.
line-bot-api is vulnerable to Path Traversal in versions 2.0.0 - 2.8.0.
Upgrade the line-bot-api library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant