CVE-2019-10648: Improper Input Validation in net.sf.robocode:robocode.host allows for external service interaction

April 2, 2019 (updated December 22, 2025)

Robocode through 1.9.3.5 allows remote attackers to cause external service interaction (DNS), as demonstrated by a query for a unique subdomain name within an attacker-controlled DNS zone, because of a .openStream call within java.net.URL.

References

github.com/advisories/GHSA-q2xp-75m7-gv52
github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bd
nvd.nist.gov/vuln/detail/CVE-2019-10648
sourceforge.net/p/robocode/bugs/406

Code Behaviors & Features

Detect and mitigate CVE-2019-10648 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →