XianYuLauncher: Legacy Microsoft account OAuth sign-in flow lacks PKCE and state validation
Description
XianYuLauncher is a Minecraft Java Edition launcher. In versions prior to 1.5.5, sensitive authentication artifacts could be exposed during a user-initiated login under certain local attack conditions. Affected versions relied on a fixed localhost redirect URI without PKCE or state validation. Exploitation is most likely to occur when an attacker is able to observe, intercept, or otherwise interfere with the local authentication flow on the same device. This issue has been fixed in version 1.5.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <1.5.5
Patches
Vulnerability mechanics
Root cause
"The OAuth authorization flow used a fixed localhost redirect URI without PKCE or state validation, allowing a local attacker to intercept authentication artifacts."
Attack vector
An attacker with local access to the same device can observe or intercept the fixed localhost redirect URI used during Microsoft OAuth login, because the flow lacked PKCE and state validation [patch_id=6466810]. By monitoring the loopback callback, the attacker could capture sensitive authentication artifacts such as authorization codes or tokens. The attack requires the victim to initiate a login while the attacker is able to inspect network traffic or process memory on the shared machine.
Affected code
The vulnerability resides in the Microsoft OAuth authentication flow within `XianYuLauncher.Core/Services/` and the view models `AccountViewModel.cs` and `TutorialPageViewModel.cs`. The patch modifies `AccountManager.cs` to strip Microsoft refresh tokens from persisted storage and introduces `SensitiveDataSanitizer.cs` for log redaction. The dialog service in `AccountDialogService.cs` was also updated to conditionally show interactive vs. device-code login options.
What the fix does
The patch hardens the OAuth flow by replacing the insecure browser-based login (`LoginWithBrowserAsync`) with an interactive MSAL broker flow (`LoginInteractivelyAsync`) that uses PKCE and proper state validation [patch_id=6466810]. It also stops persisting Microsoft refresh tokens to disk by clearing them during migration and only encrypting/saving tokens for external (non-Microsoft) accounts. A new `SensitiveDataSanitizer` class redacts tokens and JWTs from logs to prevent accidental leakage.
Preconditions
- networkAttacker must have local access to the same device as the victim (shared machine or ability to observe loopback traffic).
- inputVictim must initiate a Microsoft account login through the launcher.
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/XianYuLauncher/XianYuLauncher/pull/213mitrex_refsource_MISC
- github.com/XianYuLauncher/XianYuLauncher/security/advisories/GHSA-q6r9-qxmf-8hfxmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.