Minecraft exploit makes it 'completely dangerous' to play with unpatched mods right now

Minecraft creeper - an explosion of creepers lurk around a sandy beach
(Image credit: Mojang)

Minecraft server admins better lock up their Echo Shards because this newsroom is about to get deep and dark. According to the Minecraft Malware Prevention Alliance (MMPA)—yep, that's a thing—users have spotted a vulnerability affecting a whole lot of Minecraft servers, citing many popular mods able to be exploited by hackers looking to take over players' machines.

"This vulnerability is well known in the Java community, and has been fixed before in other mods," the MMPA blog post notes (via Tom's Hardware). It's not a new thing, then. Though the post makes it clear that "none have been of this scale in the Minecraft community."

One Computer Science student, known as Dogboy21 on GitHub, spotted something like 36 mods that are vulnerable to the so-called Bleeding Pipe exploit. They warn that, right now: "It is completely dangerous to play with unpatched mods currently." 

"Attackers already attempted (and succeeded in some cases) Microsoft access token and browser session steals. But since they can literally execute any code they want on a target system, the possibilities are endless."

Your next upgrade

Nvidia RTX 4070 and RTX 3080 Founders Edition graphics cards

(Image credit: Future)

Best CPU for gaming: The top chips from Intel and AMD.
Best gaming motherboard: The right boards.
Best graphics card: Your perfect pixel-pusher awaits.
Best SSD for gaming: Get into the game ahead of the rest.

The exploit utilises a Java deserialization attack/gadget chain that's able to take advantage of "unsafe use of the Java serialization feature in network packets sent by servers to clients or clients to servers."

Thankfully Dogboy21 (what a name) has been working together with other helpful users to offer a fix on their GitHub page.

Mods such as EnderCore, AetherCraft mode, LogisticsPipes, Immersive Armors and ttCore are just a few of those affected, though the Git page warns users to "KEEP IN MIND THAT THIS LIST IS DEFINITELY NOT COMPLETE", beside the (mostly) full list.

Katie Wickens
Hardware Writer

Screw sports, Katie would rather watch Intel, AMD and Nvidia go at it. Having been obsessed with computers and graphics for three long decades, she took Game Art and Design up to Masters level at uni, and has been rambling about games, tech and science—rather sarcastically—for four years since. She can be found admiring technological advancements, scrambling for scintillating Raspberry Pi projects, preaching cybersecurity awareness, sighing over semiconductors, and gawping at the latest GPU upgrades. Right now she's waiting patiently for her chance to upload her consciousness into the cloud.