CurseForge Vulnerability Exposed Millions to Remote Code Execution via Unsecured WebSockets
Share this article
Unsecured WebSockets in CurseForge Launcher Enabled Drive-By RCE Attacks
Security researcher Elliott DIY uncovered a severe vulnerability in CurseForge's desktop application that could allow remote code execution (RCE) via malicious websites. The flaw stemmed from the CurseAgent.exe component, which exposed a local WebSocket server without authentication or origin validation when the launcher was running.
The Vulnerability Chain
CurseForge's WebSocket server, bound to localhost on a random port, accepted commands without verifying the origin of incoming connections. As Elliott demonstrated, a script with a forged origin header could interact freely with the exposed API methods:
{
"args": [{
"MinecraftInstanceGuid": "9ee1c6b8-f0f3-441c-b6be-6b03a7a6019a",
"AdditionalJavaArguments": "-XX:MaxMetaspaceSize=16m -XX:OnOutOfMemoryError=\"cmd.exe /c calc\""
}],
"type": "method",
"name": "minecraftTaskLaunchInstance"
}
Critical methods included:
- createModpack: Generated new modpacks with attacker-defined parameters
- minecraftTaskLaunchInstance: Launched instances with arbitrary JVM arguments
- minecraftGetDefaultLocation: Revealed system paths
The AdditionalJavaArguments parameter proved particularly dangerous—attackers could inject flags forcing JVM crashes to execute system commands via OnOutOfMemoryError handlers.
Exploit Mechanics
Elliott's proof-of-concept chained two attacks:
1. Modpack Creation: A forged createModpack call established a malicious modpack on the victim's system.
2. RCE Trigger: The new modpack's GUID was passed to minecraftTaskLaunchInstance with weaponized JVM arguments, spawning processes like calc.exe.
Since CurseAgent used random ports, attackers first scanned local ports (≈16,000 probes) to locate the WebSocket endpoint—feasible in Chromium browsers despite performance impacts.
Disclosure Timeline
| Date | Milestone |
|---|---|
| July 29, 2025 | Vulnerability discovered and reported |
| August 31, 2025 | CurseForge formally acknowledged the issue |
| November 2, 2025 | Patch released in v1.289.3 with origin checks |
| December 23, 2025 | Public disclosure after user rollout |
The three-month window before patching left millions of mod users vulnerable to drive-by attacks from compromised sites.
Implications for Developer Security
This case underscores critical lessons in local API design:
- Origin Validation Is Non-Negotiable: WebSocket servers must enforce strict CORS policies, even on localhost.
- JVM Arguments Demand Sanitization: Allowing user-controlled inputs in runtime parameters creates execution pipelines.
- Ephemeral Ports Aren’t Security: Port randomization alone can’t thwart determined attackers with browser access.
CurseForge’s resolution—though delayed—demonstrates how community-driven platforms can evolve security postures. Yet as Elliott notes, the initial absence of a dedicated security contact highlights how easily such flaws can slip through in complex desktop ecosystems. For developers, it’s a stark reminder that convenience features like in-app WebSockets must be engineered with zero-trust principles from inception.
Source: Elliott DIY Blog