How severe is GHSA-q898-frwq-f3qp?

GHSA-q898-frwq-f3qp has a CVSS score of 6.1/10, rated MEDIUM. Review your exposure and patch according to your risk tolerance.

Which packages are affected by GHSA-q898-frwq-f3qp?

GHSA-q898-frwq-f3qp affects the following packages: dev-lancer/minecraft-motd-parser (Packagist). Ecosystems affected: Packagist.

How do I fix GHSA-q898-frwq-f3qp?

Update dev-lancer/minecraft-motd-parser to 1.0.6 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-q898-frwq-f3qp is resolved across your whole dependency graph.

How do I detect GHSA-q898-frwq-f3qp in my Packagist dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for dev-lancer/minecraft-motd-parser. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-q898-frwq-f3qp if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-q898-frwq-f3qp?

O3 pinpoints whether GHSA-q898-frwq-f3qp is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-q898-frwq-f3qp actively exploited in the wild?

No public exploit code has been indexed for GHSA-q898-frwq-f3qp yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-q898-frwq-f3qp?

GHSA-q898-frwq-f3qp has an EPSS (Exploit Prediction Scoring System) score of 0.4%, placing it in the 27th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

What type of vulnerability is GHSA-q898-frwq-f3qp?

GHSA-q898-frwq-f3qp is classified as Cross-site Scripting (XSS) (CWE-79), CWE-80 (CWE-80). These weakness types describe the underlying flaw category, which helps determine the potential impact and the right class of mitigation. This is a high-impact weakness class that often enables remote code execution or data exposure.

When was GHSA-q898-frwq-f3qp published, and has it been updated?

GHSA-q898-frwq-f3qp was published on October 4, 2024 and was last updated on November 13, 2024. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🐘 Packagist

GHSA-q898-frwq-f3qp

MEDIUM

Minecraft MOTD Parser's HtmlGenerator vulnerable to XSS

Also known asCVE-2024-47765

Published

Oct 4, 2024

Updated

Nov 13, 2024

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

0.4%probability of exploitation in next 30 days

Lower Risk27th percentile-1.00%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected

🐘dev-lancer/minecraft-motd-parser

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.

Description

Summary

The HtmlGenerator class is subject to potential cross-site scripting (XSS) attack through a parsed malformed Minecraft server MOTD.

Context

Minecraft server owners can set a so-called MOTD (Message of the Day) for their server that appears next to the server icon and below the server name on the multiplayer server list of a player's Minecraft client. The Minecraft server sends the MOTD in the description property of the Status Response packet. The jgniecki/MinecraftMotdParser PHP library is able to parse the value of the description property, which can be either a string or an array of text components. By utilizing the aforementioned HtmlGenerator class, it is also able to transform the value into an HTML string that can be used to visualize the MOTD on a web page.

Details

The HtmlGenerator iterates through objects of MotdItem that are contained in an object of MotdItemCollection to generate a HTML string. An attacker can make malicious inputs to the color and text properties of MotdItem to inject own HTML into a web page during web page generation. For example by sending a malicious MOTD from a Minecraft server under their control that was queried and passed to the HtmlGenerator.

This XSS vulnerability exists because the values of these properties are neither filtered nor escaped, as can be seen here:

Proof of Concept

JavaScript code can be injected into the HtmlGenerator by parsing either a string via TextParser or an array via ArrayParser. The following code examples demonstrate the vulnerability by triggering the alert dialog of the browser.

XSS via `TextParser`

<?php

use DevLancer\MinecraftMotdParser\Collection\MotdItemCollection;
use DevLancer\MinecraftMotdParser\Generator\HtmlGenerator;
use DevLancer\MinecraftMotdParser\Parser\TextParser;

$motdCollection = (new TextParser())->parse('<script>alert("XSS on page load")</script>', new MotdItemCollection());

echo (new HtmlGenerator())->generate($motdCollection);

XSS via `ArrayParser`

<?php

use DevLancer\MinecraftMotdParser\Collection\MotdItemCollection;
use DevLancer\MinecraftMotdParser\Generator\HtmlGenerator;
use DevLancer\MinecraftMotdParser\Parser\ArrayParser;

$motdCollection = (new ArrayParser())->parse([
    [
        'color' => '#" onmouseover="javascript:alert(\'XSS when mouse pointer enters the span element\')"',
        'text' => 'Hover me',
    ],
    [
        'color' => '#000000',
        'text' => '<script>alert("XSS on page load")</script>',
    ]
], new MotdItemCollection());

echo (new HtmlGenerator())->generate($motdCollection);

Impact

If the HtmlGenerator class of this library is used, this XSS vulnerability can potentially affect:

Players visiting Minecraft server list websites (of which there are several dozen online, written in PHP) that display the MOTD.
Users visiting Minecraft server status websites to query information about a Minecraft server.
Server owners managing their Minecraft server via a web interface that displays the MOTD, where the attack could be carried out by a malicious Minecraft server plugin that modifies the MOTD without the server owner's consent.

It is not clear if and which platforms depend on this library.

Remediation

I suggest converting all HTML special characters in the values of the color and text properties to HTML entities. The display of the HTML entities will still be correct in the browser, but the XSS vulnerability will be eliminated as the values will no longer be interpreted as HTML by the browser.

This could be achieved by introducing a new private escape function in the HtmlGenerator class:

private function escape(string $text): string
{
    return htmlentities($text, ENT_QUOTES | ENT_HTML5, 'UTF-8');
}

This function should be called in the following two lines:

https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L49 Change to: $tags['span'][] = sprintf('color: %s;', $this->escape($motdItem->getColor()));
https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L80 Change to: $value = sprintf($value, $this->escape($motdItem->getText()));

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
🐘Packagist	`dev-lancer/minecraft-motd-parser`	all versions	1.0.6

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for dev-lancer/minecraft-motd-parser. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update dev-lancer/minecraft-motd-parser to 1.0.6 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-q898-frwq-f3qp is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-q898-frwq-f3qp is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-q898-frwq-f3qp. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary The `HtmlGenerator` class is subject to potential cross-site scripting (XSS) attack through a parsed malformed Minecraft server MOTD. ### Context Minecraft server owners can set a so-called MOTD (Message of the Day) for their server that appears next to the server icon and below the server name on the multiplayer server list of a player's Minecraft client. The Minecraft server sends the MOTD in the `description` property of the [Status Response](https://wiki.vg/Server_List_Ping#Status_Response) packet. The [jgniecki/MinecraftMotdParser](https://github.com/jgniecki/MinecraftMotdPar

O3 Security · Impact-Aware SCA

Is GHSA-q898-frwq-f3qp in your dependencies?

O3 detects GHSA-q898-frwq-f3qp across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works