CVE-2023-25303

Vulnerability

ATLauncher versions up to and including 3.4.26.0 are vulnerable to a directory traversal vulnerability when manually importing a .mrpack file. The modrinth.index.json within the mrpack can contain specially crafted path strings that cause the launcher to download files to arbitrary locations outside its installation directory [1].

Exploitation

An attacker must craft a malicious .mrpack file with a manipulated modrinth.index.json containing path traversal sequences (e.g., ../). The victim must manually import this file into ATLauncher. No additional privileges or network position are required beyond the user's action [1].

Impact

Successful exploitation allows the attacker to write arbitrary files to the victim's filesystem outside the intended installation directory. This can lead to code execution if the written file is executed by the system or user, or other forms of compromise depending on the file location and content [1].

Mitigation

The vulnerability is fixed in ATLauncher version 3.4.27.0, which was released on February 4, 2023. The launcher auto-updates unless installed via AUR or Flatpak. As a workaround, users should avoid manually importing .mrpack files; modpacks installed through the launcher's Modrinth pack browser are safe [1]. No official workaround other than updating or avoiding manual imports is provided.