Impact
Importing a malicious .mrpack file can cause path traversal while downloading files.
This can lead to scripts or config files being placed or replaced at arbitrary locations, without the user noticing.
Remote attacks are unlikely due to format restrictions on the modrinth.com platform.
As this vulnerability allows for arbitrary code execution, compromise of confidentiality, integrity and availability are all at a high risk.
Patches
Patched in 6.2 release
#810
#815
Workarounds
Avoid importing .mrpack files from untrusted sources.
References
https://docs.modrinth.com/docs/modpacks/format_definition/#files
Impact
Importing a malicious
.mrpackfile can cause path traversal while downloading files.This can lead to scripts or config files being placed or replaced at arbitrary locations, without the user noticing.
Remote attacks are unlikely due to format restrictions on the modrinth.com platform.
As this vulnerability allows for arbitrary code execution, compromise of confidentiality, integrity and availability are all at a high risk.
Patches
Patched in 6.2 release
#810
#815
Workarounds
Avoid importing
.mrpackfiles from untrusted sources.References
https://docs.modrinth.com/docs/modpacks/format_definition/#files