This repository contains a proof-of-concept demonstrating a remote code execution vulnerability in the CurseForge desktop launcher.
The issue was caused by an unauthenticated local WebSocket server exposed by the launcher, which could be reached from a user’s browser. By abusing exposed WebSocket methods, an attacker could create and launch a modpack with attacker-controlled JVM arguments, resulting in arbitrary code execution on the client system.
This vulnerability has been responsibly disclosed and patched by CurseForge as of version 1.289.3.
You can view the full write up of the vulnerability here: https://elliott.diy/blog/curseforge
The port scanning logic in this PoC is fairly crude and was adapted from another project with minimal cleanup.
It exists purely to make the exploit easy to demonstrate and was never intended to be a high-quality or efficient scanner. A cleaner implementation is planned for a future update or future WebSocket PoCs.
This repository is for educational and research purposes only.
Do not use this code against any systems you do not own or have explicit permission to test. The vulnerability described here has already been patched. If you're using CurseForge, make sure you're on the latest version. The launcher does automatic updates, so you should be safe when using it normally.
