?
Host a server
Modrinth App
Sign in
ModsPluginsData PacksShadersResource PacksModpacksServers
Settings
CrashExploitFixer

CrashExploitFixer

This mod fixes a bunch of crash exploits discovered in Minecraft.

1.45M
64
1.45M
64

Compatibility

Minecraft: Java Edition

26.1.x
1.21.x
1.20.x
1.19.x
1.18.x
1.17.x
1.16.x
1.15.x
1.14.4

Platforms

Supported environments

Server-side
Singleplayer

Links

Report issues View source Join Discord server
Donate on Ko-fi

Tags

Creators

Details

Licensed GPL-3.0-only
Published 2 years ago

CrashExploitFixer

The mod currently patches three different exploits for all affected Minecraft versions from 1.14.4 to Latest!

Entity Selector NBT Stack Overflow

A stack overflow vulnerability in Minecraft versions 1.14.4 through the latest release at the time of writing allows attackers to crash servers by abusing deeply nested NBT data inside entity selectors, causing recursive parsing in TagParser to exhaust the JVM stack. While Minecraft 1.21.1 prevents unprivileged players from triggering the issue through entity selectors, operators and creative-mode players can still reproduce the crash on unpatched servers. Notably, PaperMC discovered and patched the underlying parser issue months earlier.

Blogpost from haykam: haykam.com

Excessive Network Object Allocation

A denial-of-service vulnerability affecting Minecraft networking allowed authenticated players to crash servers by sending malicious packets that triggered excessive memory allocation during collection deserialization through FriendlyByteBuf.readCollection, FriendlyByteBuf.readMap, or related methods. While the issue was exploitable through a Fabric API packet and likely many modded packets across different loaders, NeoForge and Fabric patched the issue for their most active versions (NeoForge: 1.21.1 and 26.1, Fabric: 1.20.1, 1.21.1, 1.21.11, 26.1, 26.2). CrashExploitFixer patches the issue for all versions of Forge, NeoForge, and Fabric and is compatible with their fixes.

Many thanks to Paul for reporting this in private

Blogpost from NeoForge: neoforged.net

Translatable Component Expansion

A denial-of-service vulnerability affecting Minecraft 1.16 through 1.21.4 allowed attackers to craft recursively expanding text components that could inflate into enormous strings during parsing, flattening, or calls such as Component#getString(), leading to severe memory exhaustion and client or server soft-crashes. Newer research showed that specially constructed hover-event payloads could trigger the issue without elevated permissions in vanilla 1.20.5–1.21.4. PaperMC had already protected against this class of exploit for years, while modded environments remain especially vulnerable due to widespread use of FriendlyByteBuf#readComponent() and related component deserialization paths in network packets.

Many thanks to Paul for reporting this in private