name: Bug report
about: Create a report to help us improve
title: "CRITICAL: Winner Spoofing Vulnerability in 1v1 Matches"
labels: "bug, security, high-priority"
assignees: ""
Describe the bug
A critical vulnerability exists in GameServer.ts within the handleWinner method that allows a malicious client to instantly win a 1v1 match. The voting threshold check potentialWinner.ips.size * 2 < activeUniqueIPs.size evaluates to false when a single player submits a win claim in a 2-player lobby (1 * 2 < 2 is false). This bypasses the intended consensus mechanism, causing the server to immediately accept the attacker's vote, declare them the winner, and archive the game, completely disregarding the other player's status or the actual game state. Furthermore, the server already calculates wins authoritatively via WinCheckExecution, rendering client-side winner voting unnecessary and inherently insecure.
To Reproduce
Steps to reproduce the behavior:
- Join a 1v1 multiplayer game.
- Send a crafted
ClientSendWinnerMessage (type: "winner") over the WebSocket connection, specifying yourself as the winner.
- The server's
handleWinner method processes the message.
- Because
activeUniqueIPs.size is 2 and potentialWinner.ips.size is 1, the check 1 * 2 < 2 evaluates to false.
- The server immediately sets you as the winner and archives the game.
Expected behavior
The game's winner should be determined exclusively by the server's authoritative state (via WinCheckExecution), and the server should ignore or reject any client-submitted winner claims to prevent spoofing.
Screenshots
N/A - Backend vulnerability.
Desktop (please complete the following information):
- OS: All
- Browser: All
- Version: All
Smartphone (please complete the following information):
- Device: All
- OS: All
- Browser: All
- Version: All
Additional context
- File:
src/server/GameServer.ts
- Method:
handleWinner
- Recommended Fix: Remove the
handleWinner method and the ClientSendWinnerMessage entirely, relying solely on WinCheckExecution to trigger the setWinner logic on the server.
name: Bug report
about: Create a report to help us improve
title: "CRITICAL: Winner Spoofing Vulnerability in 1v1 Matches"
labels: "bug, security, high-priority"
assignees: ""
Describe the bug
A critical vulnerability exists in
GameServer.tswithin thehandleWinnermethod that allows a malicious client to instantly win a 1v1 match. The voting threshold checkpotentialWinner.ips.size * 2 < activeUniqueIPs.sizeevaluates tofalsewhen a single player submits a win claim in a 2-player lobby (1 * 2 < 2isfalse). This bypasses the intended consensus mechanism, causing the server to immediately accept the attacker's vote, declare them the winner, and archive the game, completely disregarding the other player's status or the actual game state. Furthermore, the server already calculates wins authoritatively viaWinCheckExecution, rendering client-side winner voting unnecessary and inherently insecure.To Reproduce
Steps to reproduce the behavior:
ClientSendWinnerMessage(type: "winner") over the WebSocket connection, specifying yourself as the winner.handleWinnermethod processes the message.activeUniqueIPs.sizeis 2 andpotentialWinner.ips.sizeis 1, the check1 * 2 < 2evaluates tofalse.Expected behavior
The game's winner should be determined exclusively by the server's authoritative state (via
WinCheckExecution), and the server should ignore or reject any client-submittedwinnerclaims to prevent spoofing.Screenshots
N/A - Backend vulnerability.
Desktop (please complete the following information):
Smartphone (please complete the following information):
Additional context
src/server/GameServer.tshandleWinnerhandleWinnermethod and theClientSendWinnerMessageentirely, relying solely onWinCheckExecutionto trigger thesetWinnerlogic on the server.