A critical security flaw in CurseForge's desktop launcher allowed attackers to execute arbitrary code on millions of systems by exploiting unauthenticated WebSocket connections. The vulnerability enabled malicious websites to trigger modpack launches with attacker-controlled JVM arguments, bypassing origin checks. After a coordinated disclosure process, CurseForge patched the issue in November 2025.
Unsecured WebSockets in CurseForge Launcher Enabled Drive-By RCE Attacks
Security researcher Elliott DIY uncovered a severe vulnerability in CurseForge's desktop application that could allow remote code execution (RCE) via malicious websites. The flaw stemmed from the CurseAgent.exe component, which exposed a local WebSocket server without authentication or origin validation when the launcher was running.
The Vulnerability Chain
CurseForge's WebSocket server, bound to localhost on a random port, accepted commands without verifying the origin of incoming connections. As Elliott demonstrated, a script with a forged origin header could interact freely with the exposed API methods:
{
"args": [{
"MinecraftInstanceGuid": "9ee1c6b8-f0f3-441c-b6be-6b03a7a6019a",
"AdditionalJavaArguments": "-XX:MaxMetaspaceSize=16m -XX:OnOutOfMemoryError=\"cmd.exe /c calc\""
}],
"type": "method",
"name": "minecraftTaskLaunchInstance"
}
Critical methods included:
createModpack: Generated new modpacks with attacker-defined parametersminecraftTaskLaunchInstance: Launched instances with arbitrary JVM argumentsminecraftGetDefaultLocation: Revealed system paths
The AdditionalJavaArguments parameter proved particularly dangerous—attackers could inject flags forcing JVM crashes to execute system commands via OnOutOfMemoryError handlers.
Exploit Mechanics
Elliott's proof-of-concept chained two attacks:
- Modpack Creation: A forged
createModpackcall established a malicious modpack on the victim's system. - RCE Trigger: The new modpack's GUID was passed to
minecraftTaskLaunchInstancewith weaponized JVM arguments, spawning processes likecalc.exe.
Since CurseAgent used random ports, attackers first scanned local ports (≈16,000 probes) to locate the WebSocket endpoint—feasible in Chromium browsers despite performance impacts.
Disclosure Timeline
| Date | Milestone |
|---|---|
| July 29, 2025 | Vulnerability discovered and reported |
| August 31, 2025 | CurseForge formally acknowledged the issue |
| November 2, 2025 | Patch released in v1.289.3 with origin checks |
| December 23, 2025 | Public disclosure after user rollout |
The three-month window before patching left millions of mod users vulnerable to drive-by attacks from compromised sites.
Implications for Developer Security
This case underscores critical lessons in local API design:
- Origin Validation Is Non-Negotiable: WebSocket servers must enforce strict CORS policies, even on localhost.
- JVM Arguments Demand Sanitization: Allowing user-controlled inputs in runtime parameters creates execution pipelines.
- Ephemeral Ports Aren’t Security: Port randomization alone can’t thwart determined attackers with browser access.
CurseForge’s resolution—though delayed—demonstrates how community-driven platforms can evolve security postures. Yet as Elliott notes, the initial absence of a dedicated security contact highlights how easily such flaws can slip through in complex desktop ecosystems. For developers, it’s a stark reminder that convenience features like in-app WebSockets must be engineered with zero-trust principles from inception.
Source: Elliott DIY Blog
Comments
Please log in or register to join the discussion