What you need to know
- The Minecraft community has caught wind of a new Java deserialization exploit called BleedingPipe that affects a large number of popular mods.
- Players that install these mods or play on a server that has them installed may be vulnerable to a Remote Code Execution (RCE) attack.
- This type of attack allows bad faith actors to execute code on another person's system, and often results in identity theft.
- Aside from not playing modded Minecraft right now, you can scan and patch your game files with community-developed tools. Server owners should update their mods and install the PipeBlocker mod that attempts to fix the BleedingPipe vulnerability.
Minecraft Java Edition players and server owners have discovered the rise of a new security vulnerability that can enable bad faith actors to remotely execute code on their computers. This exploit takes advantage of Java deserialization, and if you use one of the many popular mods vulnerable to it or play on a server that has them installed, you may be affected.
The security hole — dubbed "BleedingPipe" by the Minecraft Malware Prevention Alliance (MMPA) community group — works by hooking into Java's ObjectInputStream class that gets used for deserialization. Hackers sneak dangerous code into data sent to a server, which is then read, "deserialized," and converted into a Java object. This code is executed once it passes through this process, and can then be transferred to clients (players) that connect to the affected server.
A wide number of different popular Minecraft mods are vulnerable, including AetherCraft, Immersive Armors, CreativeCore, ttCore, and others. You can look through this comprehensive list of the mods that was compiled by GitHub user dogboy21. Additionally, the MMPA's blog post on the matter lists some other affected mods and explains the exploit in more detail. The video from YouTube channel PwnFunction embedded below also covers how insecure deserialization attacks like this one work.
Remote Code Execution (RCE) exploits are very dangerous, as bad faith actors can use them to steal sensitive data from your web browsers and installed programs, resulting in possible identity theft. They might also infect your system and use it to spread code elsewhere, or install ransomware to try and deny you access to your files unless you pay a sum of money.
Many Minecraft community members first became aware of BleedingPipe in early July, when a hacker used it to steal information from clients connected to a public modded server. The server's owner, Yoyoyopo5, reported that the exploit was used to lift web browser, Discord, and Steam details from players on the server. Notably, the MMPA has since stated that someone "scanned all Minecraft servers on the IPv4 address space to mass-exploit vulnerable servers," and that a "likely malicious payload was then deployed onto all affected servers."
If you're looking for a way to protect yourself from BleedingPipe, the best way to do so for now is ultimately to not play Minecraft with any of the affected mods installed, and also to avoid modded servers that might be using them. Aside from that, the MMPA suggests scanning your Minecraft game directory with the jSus and jneedle tools if you're a player. dogboy21 also developed a patcher that attempts to repair this vulnerability, which you can download from the aforementioned GitHub page.
Server owners, meanwhile, should use jSus and jneedle to check on their installed mods, and also install the MMPA's PipeBlocker mod that protects against the exploit by filtering Java's ObjectInputStream. If you use them, updating EnderIO and LogisticsPipes is highly recommended as well, as is using the modified GT New Horizons version of the BDLib mod.