CVE-2022-24849: 
C# vulnerability analysis and mitigation

A vulnerability in DisCatSharp versions 9.8.5 through 9.9.0 allowed potential exposure of bot tokens to a non-Discord server when using RequireDisCatSharpDeveloperAttributes or BaseDiscordClient.LibraryDeveloperTeam features. The vulnerability was discovered and disclosed on April 13, 2022, affecting the DisCatSharp NuGet package (GitHub Advisory).

The vulnerability occurred when the HttpClient responsible for Discord API requests was incorrectly reused to send requests to DisCatSharp's website during team member fetching operations. This implementation error could result in bot tokens being sent to a server owned and operated by DisCatSharp's development team, though the tokens were reportedly not logged (GitHub Advisory).

Users who implemented either the RequireDisCatSharpDeveloperAttributes or used the BaseDiscordClient.LibraryDeveloperTeam functionality in affected versions potentially had their bot tokens exposed to a non-Discord server. While the tokens were not logged according to the development team, the exposure created a security risk (GitHub Advisory).

The issue was patched in version 9.9.1 for the stable release, and subsequent 10.0.0 prereleases were also fixed. As a workaround, users can remove all uses of the two RequireDisCatSharpDeveloperAttributes and all direct calls to BaseDiscordClient.LibraryDeveloperTeam (GitHub Advisory).