GHSA-h79x-98r2-g6qc
MEDIUMImpersonation of other users (passing XBOX Live authentication) by theft of logins in PocketMine-MP
Blast Radius
pocketmine/pocketmine-mpReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Impact
Minecraft Bedrock authentication and its protocol encryption are inseparably linked. One is not complete without the other.
This vulnerability affects servers which are able to be directly connected to via the internet (i.e. not behind a proxy).
If you are using a proxy, please check that it supports protocol encryption and that it is enabled.
Technical details
<details> <summary>click to expand</summary>Basics
- The client generates a private ECC key
clientPrivwhich it uses to complete ECDH for encryption. - A JWT containing the public key
clientPubcorresponding to this key is signed by Microsoft servers with the Mojang root public keymojangPub. - The server verifies that the token was issued by Microsoft servers by verifying the JWT signature with
mojangPub.
Why this is a problem
However, this only ensures that the token was issued by Microsoft. It does not ensure that the client actually possesses the private key corresponding to the public key in the token.
In a login replay attack, the attacker sends a login captured from another session. This login is valid because it is verifiable by mojangPub; however, without encryption, the server doesn't know that the client actually possesses clientPriv, and the authenticity of the client cannot be verified.
How encryption prevents the attack
- The server calculates a shared secret for encryption using ECDH of
serverPrivandclientPub. - It then signs a return token using
serverPrivand sends this to the client, along withserverPub. - The client then verifies the JWT using
serverPub, and calculates the same shared secret as the server usingclientPrivandserverPub.
If the client does not possess clientPriv (i.e. because it replayed a stolen login), then the session cannot proceed once encryption is enabled, since the client cannot calculate the shared secret needed to decrypt the server packets and encrypt its own packets.
Since PM3 does not implement protocol encryption, this means that ALL versions of PM3 are affected by this login stealing attack.
How does the attacker capture a login in the first place?
The typical way to do this would be to trick a player into joining a server controlled by the attacker. This would allow the attacker to grab the login from the connection and store it for future use.
Are the logins valid forever?
No. All the JWTs have expiry dates after which they cannot be used. These expiry dates are typically 2-3 days after the token was issued by XBOX servers. PocketMine-MP 3.x does verify these expiry dates, so the use-by dates of these attacks are limited.
</details>Patches
This problem has been fixed in all 4.x versions by implementing Minecraft protocol encryption.
This has not yet been addressed on 3.x, but since this vulnerability is already public knowledge, the advisory has been released early to make sure people are aware of it and the mitigation steps they can take.
Update 2022-01-22: This has been fixed on 3.x by d28be4eaf24a890f7ef110a51181a3d806a6acca.
Workarounds
- Use a proxy that supports encryption such as gophertunnel between your server and players. Make sure that the server only accepts connections from the proxy. If the proxy is on the same machine as the server, you can use
server-ip=127.0.0.1to ensure that only the proxy can create connections for you.
The following things may help mitigate the problem:
- Verify that the
LoginPacketserverAddressfield is the same as the server's exposed domain name. For example: https://github.com/JustTalDevelops/AntiLoginForger WARNING: THIS DOES NOT SOLVE THE ROOT ISSUE. YOU WILL REMAIN VULNERABLE UNLESS YOU UPGRADE.
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | pocketmine/pocketmine-mp | ≥ 3.0.0&&< 4.0.0 | 4.0.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for pocketmine/pocketmine-mp. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update pocketmine/pocketmine-mp to 4.0.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-h79x-98r2-g6qc is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-h79x-98r2-g6qc is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-h79x-98r2-g6qc. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-h79x-98r2-g6qc in your dependencies?
O3 detects GHSA-h79x-98r2-g6qc across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.