README

[dianecloud]

Unsafe Discrimination Vulnerability in Many Minecraft Mods

A few weeks ago, a critical vulnerability allowing arbitrary remote code execution on clients and servers (and therefore all connected clients on a server) was discovered in many Minecraft mods.

We initially attempted to thoroughly and responsibly investigate the issue in order to publish a write-up and completely fix the vulnerability, but since a group named MMPA just published a blog post about the issue while omitting many crucial details about the vulnerability, we were forced to release a statement and attempt to fix the issue right away since they were currently putting millions of modded Minecraft users at risk.

Information on the Vulnerability

The vulnerability is caused by unsafe usage of the Java serialization feature in network packets sent by servers to clients or clients to servers, which allows instantiating any Java class that is loaded in the Minecraft instance.

There was already a similar vulnerability in the past called "Mad Gadget". You can read more about that here:

• https://opensource.googleblog.com/2017/03/operation-rosehub.html
• https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

While there are just a relatively small number of attacks targeting this vulnerability in the wild, because of the significance of the vulnerability, it is extremely dangerous to play with the unpatched mods currently. Attackers have already attempted (and succeeded in some cases) to gain access to Microsoft tokens and browser session data. Since they can execute any code they want on a target system, the possibilities are endless.

How Can I Protect Myself Against this Vulnerability?

We developed a patcher that attempts to fix all mods that we know of (the list of mods is below).

Should any more affected mods be discovered, a patch is as simple as updating the related config file. (We will publish a release that automates this for you) Version 1.3 of the patch now automatically uses the latest version of the config file and otherwise falls back to the local config file. If there is no config present, there should be an error informing the user that there are currently no patches applied.

Minecraft Forge 1.7.x - Latest

• Download the JAR file from the latest release on the releases page   - The fix is now also available on CurseForge and Modrinth
• Add the JAR file to your mods folder
• Download the latest config file from this Github repository and add it directly to your instances config directory  Version 1.3 of the patch now automatically uses the latest version of the config file

Any Other Instances

• Download the JAR file from the latest release on the releases page (or from CurseForge or Modrinth) and save it somewhere
• Add the following JVM argument to your client/server (refer to the documentation of the client/server launcher you are using for instructions on how to do this): -javaagent:<PATH TO SAVED JAR FILE>
• Download the latest config file from this Github repository and add it directly to your instances config directory Version 1.3 of the patch now automatically uses the latest version of the config file

Affected Mods

Unlike the blog post stated above, there are plenty of mods that are and could be affected by this issue. Although some of them are already fixed in their latest versions, these mods were exploitable in at least one older version. It is to be expected that several modpacks over the years just are not maintained anymore, but are still popular and loved within the community. Keeping this in mind, we are trying to help those people who still love running those modpacks and strive to keep them safe as they play. 

KEEP IN MIND THAT THIS LIST IS NOT COMPLETE! THESE ARE JUST THE MODS WE ARE CURRENTLY AWARE OF! CurseForge is already investigating the issue internally, so we hope we can get a nearly complete list of vulnerable mods and versions in the future.

Also please keep in mind that this is a VULNERABILITY (one that has also affected many other software projects in the past), not something added to the affected mods with any malicious intent. So please do not harass any mod authors because their mods are affected, and also do not call affected mods viruses or something else. That is just completely wrong.

We have moved our affected mods list to another location! See the link below:

Affected Mods List

This list will change frequently as we find more mods that could have vulnerabilities and as developers add patches to their own mods. If you want to help us keep this list up-to-date, please feel free to contribute! 

Technical Approach

Our current approach to fixing the vulnerability is to have a config file with all currently known mod classes that need to be patched. SIB then checks these classes at runtime and replaces the exploitable calls to ObjectInputStream with our safe ClassFilteringObjectInputStream that only allows the deserialization of classes that are on an allow-list in the config file.

This approach has the advantage that we only modify or block confirmed vulnerable uses of ObjectInputStream, while leaving other secure and miscellaneous uses of this class completely unaffected. As a result, the risk of potential game-breaking issues caused by over-blocking is heavily minimized. With this approach, we also do not have any incompatibilities with older Java versions.

This means that we need to add all vulnerable mods to our config file so they get patched. Possible new cases of mods that are vulnerable are not patched unless they are added to the above-mentioned config file. We are currently working on a good approach to also patch all other uses of ObjectInputStream safely without breaking any mods in the process (see #15 and #18).

Uses: ugba908@gmail.com

Credits

I am not the only one who was working on the investigation of the whole situation.

Credits to anyone that was involved in this:

• Aidoneus (MineYourMind Server Network)
• Bennyboy1695 (Shadow Node Server Network)
• bziemons (Logistics Pipes Mod Developer)
• DarkStar (CraftDownUnder Server Network)
• Dogboy21 (MyFTB Server Network)
• Einhornyordle (MyFTB Server Network)
• emily (CraftDownUnder Server Network)
• Exa (Nomifactory Modpack Developer)
• HanoverFist (MineYourMind Server Network)
• Heather (MMCC Server Network)
• HellFirePvP (Astral Sorcery Mod Developer)
• Jacob (DirtCraft Server Network)
• Juakco_ (CraftDownUnder Server Network)
• Lìam (MineYourMind Server Network)
• MojangPlsFix (MyFTB Server Network)
• Niels Pilgaard (Enigmatica Modpack Developer)
• oliviajumba (CraftDownUnder Server Network)
• oly2o6 (All the Mods Modpack Developer / Akliz Server Hosting)
• PurpleIsEverything (Shadow Node Server Network)
• Pyker (Technic Launcher Developer)
• RyanTheAllmighty (ATLauncher Developer)
• Saereth (Modpack Developer)
• Sauramel (CraftDownUnder Server Network)
• ThePixelbrain (MMCC Server Network)
• Tridos (DirtCraft Server Network)

Summary

Release Note

Documentation

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: c43230af-806c-487b-b5e9-193aac30f096

📥 Commits

Reviewing files that changed from the base of the PR and between 15f204b and 01a1ebc.

📒 Files selected for processing (1)

• README.md

---

📝 Walkthrough

Summary

This PR adds a comprehensive README documenting a critical remote code execution vulnerability in many Minecraft mods that stems from unsafe usage of Java serialization in network packets. The vulnerability allows instantiation of arbitrary Java classes and can lead to client/server compromise, credential theft, and session hijacking.

Changes

• README.md: Added complete documentation including:
  • Vulnerability description and technical details
  • Impact assessment and prior similar incidents ("Mad Gadget")
  • Mitigation guidance through a custom patcher
  • Installation instructions for Minecraft Forge 1.7.x and other instances
  • Reference to the affected mods list maintained at docs/mods.md
  • Technical approach explanation describing the use of ClassFilteringObjectInputStream to enforce an allow-list of safe classes
  • Credits to contributors and contact email (ugba908@gmail.com)

The patcher automatically fetches the latest configuration from serializationisbad.json with fallback to local config, and displays an error if no config is present.

Lines changed: +3/-0

Walkthrough

README.md is updated to introduce a "Uses" section with contact information (ugba908@gmail.com), positioned between the technical approach section and the credits.

Changes

Documentation Update

Layer / File(s)	Summary
Add Uses section to README README.md	A new "Uses" heading with email contact is inserted into the README body.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A carrot-shaped edit, small but true,
An email now greets the world in view,
Between the method and the praise,
A contact point lights all the ways! 🥕✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The PR title 'README' is vague and does not clearly convey the main change; it merely states a filename without describing the significant security vulnerability documentation being added.	Consider a more descriptive title such as 'Add README documenting Java serialization vulnerability in Minecraft mods' to clearly communicate the main change.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description check	✅ Passed	The PR description is a comprehensive technical document explaining the Java serialization vulnerability in Minecraft mods, mitigation strategies, affected mods, and technical approach, which directly relates to the README content being added.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

✅ Unit Test PR creation complete.

• Create PR with unit tests
• Commit unit tests in branch dianecloud-patch-1

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Note

Unit test generation is a public access feature. Expect some limitations and changes as we gather feedback and continue to improve it.

---

Generating unit tests... This may take up to 20 minutes.

[coderabbitai]

✅ Created PR with unit tests: #2

[dianecloud]

_{Commented in CodeRabbit Change Stack}