Skip to content

Path traversal during manual mrpack installation

High
Scrumplex published GHSA-wxgx-8v36-mj2m Feb 4, 2023

Package

Prism Launcher (Application)

Affected versions

<6.2

Patched versions

6.2, 7.0

Description

Impact

Importing a malicious .mrpack file can cause path traversal while downloading files.
This can lead to scripts or config files being placed or replaced at arbitrary locations, without the user noticing.
Remote attacks are unlikely due to format restrictions on the modrinth.com platform.

As this vulnerability allows for arbitrary code execution, compromise of confidentiality, integrity and availability are all at a high risk.

Patches

Patched in 6.2 release
#810
#815

Workarounds

Avoid importing .mrpack files from untrusted sources.

References

https://docs.modrinth.com/docs/modpacks/format_definition/#files

Severity

High
7.8
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE ID

CVE-2023-25304

Weaknesses

Credits