Can an unmodded paper server be affected by unsafe deserialization on modded clients?

I recently was sent a link to github describing a security vulnerability in many mods that if exploited allowed for arbitrary remote code execution on servers and clients. I run a paper server that is completely unmodded, but I'm also not familiar enough with java to know if the exploit could pose an issue to an unmodded server hosting clients with affected client-side mods. Here is the link to the github page: https://github.com/dogboy21/serializationisbad Any help would be very much appreciated.
GitHub
GitHub - dogboy21/serializationisbad: A Minecraft coremod / Java Ag...
A Minecraft coremod / Java Agent aiming to patch serious security vulnerabilities found in many different mods - GitHub - dogboy21/serializationisbad: A Minecraft coremod / Java Agent aiming to pat...
4 Replies
Admincraft Meta
Thanks for asking your question!
Make sure to provide as much helpful information as possible such as logs/what you tried and what your exact issue is
Make sure to mark solved when issue is solved!!!
/close !close !solved !answered
Requested by xwhylophone#0
QarthO
QarthO2y ago
From my understanding this vulnerability affects older versions of Minecraft on forge. https://blog.mmpa.info/posts/bleeding-pipe/
Bleeding Pipe: A RCE vulnerability exploited in the wild
A new vulnerability in LogisticsPipes and other mods allowing RCE on clients and servers.
Xwhylophone
XwhylophoneOP2y ago
seems like all the known mods with the vulnerability are older but the article also seems to say there’s no reason why newer versions couldnt be affected unless they specifically fixed the issue. My question though is more whether an unmodded server could even be affected by modded clients? My assumption is no, but I’m just curious for a second opinion. !solved
Admincraft Meta
post closed!
The post/thread has been closed!
Requested by xwhylophone#0

Did you find this page helpful?