@line/bot-sdk is vulnerable to URL-Based Access Control Bypass
45
Medium Risk
The generated API clients build request paths by substituting path parameters into URL templates with raw string replacement and no encoding. When an application passes attacker-controlled values such as a userId into these path parameters, input containing ../ or unencoded slashes can escape the intended route and resolve to a different LINE Messaging API endpoint while still carrying the configured bot channel access token. This route confusion lets requests reach unintended endpoints and expose read-only bot and channel metadata. The fix adds a buildPath helper that percent-encodes path parameters and rejects dot and dot-dot path segments.
You are affected if you are using a version that falls within the vulnerable range and your application passes untrusted input as path parameters to the SDK client methods.
@line/bot-sdk is vulnerable to URL-Based Access Control Bypass in versions 8.0.0 - 11.0.0.
Upgrade the @line/bot-sdk library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant