216.73.216.86

CVE-2025-27107

· Published 13/03/2025 17:15 · Modified 13/03/2025 17:15

Labels: CVE-2025-27107 2025-03-13CVE-2025-27107CWE-74[email protected]

Essential information

Published
13/03/2025 17:15
Modified
13/03/2025 17:15
Author
Creator
CISA KEV
No
CWE

Description

Integrated Scripting is a tool for creating scripts for handling complex operations in Integrated Dynamics. Minecraft users who use Integrated Scripting prior to versions 1.21.1-1.0.17, 1.21.4-1.0.9-254, 1.20.1-1.0.13, and 1.19.2-1.0.10 may be vulnerable to arbitrary code execution. By using Java reflection on a thrown exception object it's possible to escape the JavaScript sandbox for IntegratedScripting's Variable Cards, and leverage that to construct arbitrary Java classes and invoke arbitrary Java methods. This vulnerability allows for execution of arbitrary Java methods, and by extension arbitrary native code e.g. from `java.lang.Runtime.exec`, on the Minecraft server by any player with the ability to create and use an IntegratedScripting Variable Card. Versions 1.21.1-1.0.17, 1.21.4-1.0.9-254, 1.20.1-1.0.13, and 1.19.2-1.0.10 fix the issue.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
minecraft / integrated scripting cpe:2.3:a:minecraft:integrated_scripting:1.21.1-1.0.17:*:*:*:*:*:*:*
minecraft / integrated scripting cpe:2.3:a:minecraft:integrated_scripting:1.21.4-1.0.9-254:*:*:*:*:*:*:*
minecraft / integrated scripting cpe:2.3:a:minecraft:integrated_scripting:1.20.1-1.0.13:*:*:*:*:*:*:*
minecraft / integrated scripting cpe:2.3:a:minecraft:integrated_scripting:1.19.2-1.0.10:*:*:*:*:*:*:*

References