Skip to content

[Crash] Unchecked msg.url access in feedback handler #66

Closed as not planned
Closed as not planned
[Crash] Unchecked msg.url access in feedback handler#66
@coderabbitai

Description

@coderabbitai
coderabbitai
bot
opened on Feb 28, 2026

Summary

Services server crashes when msg.url is undefined in feedback handler.

Affected Code

server-services/start-services.js:577

avatar_url: msg.url + 'favicon.ico', // CRASH if msg.url is undefined

Vulnerability

If client sends {"cmd":"feedback"} without url field.

Impact

  • Services server crash on feedback
  • Denial of service

Proof of Concept

{"cmd":"feedback","email":"test@test.com","comments":"test"}

Recommended Fix

avatar_url: (msg.url || '') + 'favicon.ico',
embeds: [{ description: \`> from ${msg.email || 'unknown'}\\n\\n${msg.comments || ''}\` }]

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions