Robocode through 1.9.3.5 allows remote attackers to cause external service interaction (DNS), as demonstrated by a query for a unique subdomain name within an attacker-controlled DNS zone, because of a .openStream call within java.net.URL.

References

• https://nvd.nist.gov/vuln/detail/CVE-2019-10648
• robo-code/robocode@836c846#diff-0296a8f9d4a509789f4dc4f052d9c36f
• GHSA-q2xp-75m7-gv52
• https://sourceforge.net/p/robocode/bugs/406/