Minecraft players interested in modding are potentially at risk of compromise. A Remote Code Execution (RCE) vulnerability in certain Minecraft mods allows for malicious commands on both servers and clients. The vulnerability, named BleedingPipe, allows attackers to take over a targeted server.

Minecraft modding is immensely popular, with a potentially huge number of servers in the wild doing their own thing. There’s a custom game type or world state for everybody.

The problem is that so many of them have been set up in a way which allows for this vulnerability to take hold. As Bleeping Computer notes, the compromised servers are only the first link in the chain. With the server taken over, attackers can then turn their attention to the players inhabiting those servers.

They exploit the issues residing in the mods used by the people playing, which permits them to make malicious installations on their PCs. Given that Minecraft has around 140 million monthly active players, this isn’t great news. While a lot of them are playing on console and so not susceptible to Windows malware, a huge modding base exists in PC land.

From the Minecraft security (MMPA) article highlighting details of the attack:

BleedingPipe is an exploit being used in the wild allowing FULL remote code execution on clients and servers running popular Minecraft mods on 1.7.10/1.12.2 Forge (other versions could also be affected), alongside some other mods.

This is a vulnerability in mods using unsafe deserialization code, not in Forge itself.

The article goes on to list some of the affected mods, and it’s worth noting that this list is by no means exhaustive:

EnderCore (dependency of EnderIO). The GT New Horizons fork has been fixed, and the original has been as well, but EnderIO’s minimum versions has not yet been updated.

LogisticsPipes. This has once again been fixed in GT New Horizons version as of July 25, 2023, and the original is fixed since version MC 1.12 versions are not affected. If you have played on a server with a vulnerable version, assume you are infected.

The 1.7-1.12 versions of BDLib. Once again, GTNH fork has this fixed, but the developer of the original currently does not plan to fix it. Assume you are infected if you have played on a server and are not on the GTNH fork.

Smart Moving 1.12




The article also claims a similar issue was first reported back in 2022. After having been addressed, this problem has resurfaced in various forms and impacting several mods along the way. The individuals behind the attack have “scanned all Minecraft servers on the IPv4 address space to mass-exploit vulnerable servers”. At time of writing, nobody knows the payload content being sent to potentially vulnerable servers.

Server admins are advised to check for suspicious files, along with updating or removing vulnerable mods. For players, the news isn’t particularly reassuring:

As a player if you don’t play on servers, you are not affected.

Essentially, don’t play or run various scans after a Minecraft session and hope for the best. There is also the option of installing a mod called PipeBlocker on forge servers and clients, which protects against the BleedingPipe vulnerability.

Abusing game servers is an occasionally used technique to infect as many people as possible. Something similar happened this past week when Call of Duty servers were taken offline due to a similar approach. The smash hit DayZ game was famously attacked back in 2014 in much the same fashion.

Connecting to other devices or servers is always a potential risk, and where modding is thrown into the mix you can never be 100% sure that everything is as it should be. Stay safe, Minecraft fans!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.