GHSA-93fv-4pm9-xp28: JDA (Java Discord API) downloads external URLs when updating message components

December 9, 2025

Anyone using untrusted message components may be affected. On versions >=6.0.0,<6.1.3 of JDA, the requester will attempt to download external media URLs from components if they are used in an update or send request.

If you are used Message#getComponents or similar to get a list of components and then send those components with sendMessageComponents or other methods, you might unintentionally download media from an external URL in the resolved media of a Thumbnail, FileDisplay, or MediaGallery.

References

github.com/advisories/GHSA-93fv-4pm9-xp28
github.com/discord-jda/JDA
github.com/discord-jda/JDA/commit/bb6d2ce5cf514429327c257f5c6fa95a137e3ab6
github.com/discord-jda/JDA/security/advisories/GHSA-93fv-4pm9-xp28

Code Behaviors & Features

Detect and mitigate GHSA-93fv-4pm9-xp28 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →