← Назад к ресурсам

CrashExploitFixer

This mod fixes a bunch of crash exploits discovered in Minecraft.

Modrinth management optimization utility

Описание

# CrashExploitFixer The mod currently patches three different exploits for all affected Minecraft versions from 1.14.4 to Latest! ## Entity Selector NBT Stack Overflow A stack overflow vulnerability in Minecraft versions 1.14.4 through the latest release at the time of writing allows attackers to crash servers by abusing deeply nested NBT data inside entity selectors, causing recursive parsing in `TagParser` to exhaust the JVM stack. While Minecraft 1.21.1 prevents unprivileged players from triggering the issue through entity selectors, operators and creative-mode players can still reproduce the crash on unpatched servers. Notably, PaperMC discovered and [patched](https://github.com/PaperMC/Paper/blob/df3b6544f74be73c8882b97c43d39022340f2d74/patches/server/0951-Improve-tag-parser-handling.patch) the underlying parser issue months earlier. Blogpost from haykam: [haykam.com](https://web.archive.org/web/20250924134748/https://haykam.com/blog/entity-selector-stack-overflow-crash) ## Excessive Network Object Allocation A denial-of-service vulnerability affecting Minecraft networking allowed authenticated players to crash servers by sending malicious packets that triggered excessive memory allocation during collection deserialization through `FriendlyByteBuf.readCollection`, `FriendlyByteBuf.readMap`, or related methods. While the issue was exploitable through a Fabric API packet and likely many modded packets across different loaders, NeoForge and Fabric patched the issue for their most active versions (NeoForge: 1.21.1 and 26.1, Fabric: 1.20.1, 1.21.1, 1.21.11, 26.1, 26.2). CrashExploitFixer patches the issue for all versions of Forge, NeoForge, and Fabric and is compatible with their fixes. Many thanks to [Paul](https://github.com/pau101) for reporting this in private Blogpost from NeoForge: [neoforged.net](https://neoforged.net/news/mitigating-vulnerabilities-network/) ## Translatable Component Expansion A denial-of-service vulnerability affecting Minecraft 1.16 through 1.21.4 allowed attackers to craft recursively expanding text components that could inflate into enormous strings during parsing, flattening, or calls such as `Component#getString()`, leading to severe memory exhaustion and client or server soft-crashes. Newer research showed that specially constructed hover-event payloads could trigger the issue without elevated permissions in vanilla 1.20.5–1.21.4. PaperMC had already [protected against](https://github.com/PaperMC/Paper/blob/8dea6f1761c97da76fa2e42c6f74fb1242c23feb/paper-server/patches/sources/net/minecraft/network/chat/contents/TranslatableContents.java.patch) this class of exploit for years, while modded environments remain especially vulnerable due to widespread use of `FriendlyByteBuf#readComponent()` and related component deserialization paths in network packets. Many thanks to [Paul](https://github.com/pau101) for reporting this in private