Advisory #55
TitleMinecraft arbitrary JSON file deletion via path traversal
CVE IDCVE-2021-35054
VendorMojang Studios
Affected productMinecraft
Affected versions=< 1.17
Vulnerability typeCWE-22 (Path Traversal)
DescriptionMinecraft has a vulnerability that allows an attacker to perform path traversal if "online-mode=false" is specified, which leads to arbitrary JSON file deletion.
StatusFixed in 1.17.1
RecommendationUpdate to 1.17.1 or above.

If you can't update your Minecraft, there are some workarounds:
1. Set "online-mode" to "true".
2. Verify Minecraft username before handling connections.
3. Latest versions of Forge 1.15.2/1.16.5 and Spigot 1.16.5/1.17 includes a patch for this vulnerability according to the developer of them.