|Title||Minecraft arbitrary JSON file deletion via path traversal|
|Affected versions||=< 1.17|
|Vulnerability type||CWE-22 (Path Traversal)|
|Description||Minecraft has a vulnerability that allows an attacker to perform path traversal if "online-mode=false" is specified, which leads to arbitrary JSON file deletion.|
|Status||Fixed in 1.17.1|
|Recommendation||Update to 1.17.1 or above. |
If you can't update your Minecraft, there are some workarounds:
1. Set "online-mode" to "true".
2. Verify Minecraft username before handling connections.
3. Latest versions of Forge 1.15.2/1.16.5 and Spigot 1.16.5/1.17 includes a patch for this vulnerability according to the developer of them.