Unsafe Deserialization Vulnerability Discovered – List of affected mods below:

IMPORTANT: The Spacecraft server and modpack do no appear to be affected at this point in time.

Excerpt below is from: https://github.com/dogboy21/serializationisbad

This vulnerability is caused by an unsafe use of the Java serialization feature in network packets sent by servers to clients or clients to servers that allows to instantiate any Java class that is loaded in the Minecraft instance.

There was already a similar vulnerability in the past called “Mad Gadget”. You can read more about that here:

While there are just a relatively small amount of attacks targeting this vulnerability in the wild, because of the significance of the vulnerability, it is completely dangerous to play with unpatched mods currently. Attackers already attempted (and succeeded in some cases) Microsoft access token and browser session steals. But since they can literally execute any code they want on a target system, the possibilities are endless.

Affected mods:

Unlike stated in the above blog post, there are plenty more mods that are affected by this issue. Although some of them already are fixed in the latest versions, these mods were exploitable in at least one older version:

KEEP IN MIND THAT THIS LIST IS DEFINITELY NOT COMPLETE. THESE ARE JUST THE MODS WE ARE CURRENTLY AWARE OF. At least Curseforge is already investigating the issue internally so we can maybe get a nearly complete list of vulnerable mods and versions in the future.

Because of the rushed announcement, we are currently unable to give exact version ranges of affected mods. If you want to help out with that, feel free to contribute to this list.


Leave a Reply

Your email address will not be published. Required fields are marked *