CVE-2025-27107
Description
Integrated Scripting is a tool for creating scripts for handling complex operations in Integrated Dynamics. Minecraft users who use Integrated Scripting prior to versions 1.21.1-1.0.17, 1.21.4-1.0.9-254, 1.20.1-1.0.13, and 1.19.2-1.0.10 may be vulnerable to arbitrary code execution. By using Java reflection on a thrown exception object it's possible to escape the JavaScript sandbox for IntegratedScripting's Variable Cards, and leverage that to construct arbitrary Java classes and invoke arbitrary Java methods. This vulnerability allows for execution of arbitrary Java methods, and by extension arbitrary native code e.g. from java.lang.Runtime.exec, on the Minecraft server by any player with the ability to create and use an IntegratedScripting Variable Card. Versions 1.21.1-1.0.17, 1.21.4-1.0.9-254, 1.20.1-1.0.13, and 1.19.2-1.0.10 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
21.19.2-1.0.0, 1.19.2-1.0.1, 1.19.2-1.0.2, …+ 1 more
- (no CPE)range: 1.19.2-1.0.0, 1.19.2-1.0.1, 1.19.2-1.0.2, …
- (no CPE)range: <1.21.1-1.0.17 <1.21.4-1.0.9-254 <1.20.1-1.0.13 <1.19.2-1.0.10
Patches
Vulnerability mechanics
References
3- github.com/CyclopsMC/IntegratedScripting/blob/29051aace619604fb5dd60624b72dba428fea2f2/src/main/java/org/cyclops/integratedscripting/evaluate/ScriptHelpers.javanvd
- github.com/CyclopsMC/IntegratedScripting/blob/29051aace619604fb5dd60624b72dba428fea2f2/src/main/java/org/cyclops/integratedscripting/evaluate/translation/ValueTranslators.javanvd
- github.com/CyclopsMC/IntegratedScripting/security/advisories/GHSA-2v5x-4823-hq77nvd
News mentions
0No linked articles in our index yet.