Описание
# CrashExploitFixer
The mod currently patches three different exploits for all affected Minecraft versions from 1.14.4 to Latest!
## Entity Selector NBT Stack Overflow
A stack overflow vulnerability in Minecraft versions 1.14.4 through the latest release at the time of writing allows
attackers to crash servers by abusing deeply nested NBT data inside entity selectors, causing recursive parsing in
`TagParser` to exhaust the JVM stack. While Minecraft 1.21.1 prevents unprivileged players from triggering the
issue through entity selectors, operators and creative-mode players can still reproduce the crash on unpatched servers.
Notably, PaperMC discovered and [patched](https://github.com/PaperMC/Paper/blob/df3b6544f74be73c8882b97c43d39022340f2d74/patches/server/0951-Improve-tag-parser-handling.patch) the underlying parser issue months earlier.
Blogpost from haykam: [haykam.com](https://web.archive.org/web/20250924134748/https://haykam.com/blog/entity-selector-stack-overflow-crash)
## Excessive Network Object Allocation
A denial-of-service vulnerability affecting Minecraft networking allowed authenticated players to crash servers by
sending malicious packets that triggered excessive memory allocation during collection deserialization through
`FriendlyByteBuf.readCollection`, `FriendlyByteBuf.readMap`, or related methods. While the issue was exploitable
through a Fabric API packet and likely many modded packets across different loaders, NeoForge and Fabric patched the
issue for their most active versions (NeoForge: 1.21.1 and 26.1, Fabric: 1.20.1, 1.21.1, 1.21.11, 26.1, 26.2).
CrashExploitFixer patches the issue for all versions of Forge, NeoForge, and Fabric and is compatible with their fixes.
Many thanks to [Paul](https://github.com/pau101) for reporting this in private
Blogpost from NeoForge: [neoforged.net](https://neoforged.net/news/mitigating-vulnerabilities-network/)
## Translatable Component Expansion
A denial-of-service vulnerability affecting Minecraft 1.16 through 1.21.4 allowed attackers to craft recursively
expanding text components that could inflate into enormous strings during parsing, flattening, or calls such as
`Component#getString()`, leading to severe memory exhaustion and client or server soft-crashes. Newer research showed
that specially constructed hover-event payloads could trigger the issue without elevated permissions in vanilla
1.20.5–1.21.4. PaperMC had already [protected against](https://github.com/PaperMC/Paper/blob/8dea6f1761c97da76fa2e42c6f74fb1242c23feb/paper-server/patches/sources/net/minecraft/network/chat/contents/TranslatableContents.java.patch)
this class of exploit for years, while modded environments remain especially vulnerable due to widespread use of
`FriendlyByteBuf#readComponent()` and related component deserialization paths in network packets.
Many thanks to [Paul](https://github.com/pau101) for reporting this in private