A researcher discovered a critical HTTP request desync vulnerability in Discord's media proxy that allowed injection of arbitrary HTTP requests. By leveraging connection pooling and Content-Length manipulation, attackers could capture other users' attachment requests in real-time, including from private DMs. Fixed within 10 days of responsible disclosure.
Safety
HTTP desync in Discord's media proxy: Spying on a whole platform
HTTP request desync in Discord's media proxy enabled real-time interception of user attachments from private DMs via connection pooling manipulation before patching in 10 days.
Friday, April 17, 2026 12:00 PM UTC2 MIN READSOURCE: LobstersBY sys://pipeline
Tags
safety