there was recently a new exploit discovered called BleedingPipe, which can give people acces to your computer(similar to Log4j). This works by using unsafe deserialization code, that most mods have.
I hope Greg doesn’t have any exploitative code, but this is a heads up to fix any.
i cant put links in my post but this site explains most of the exploits.
I do not serialize Objects so my Stuff is all fine (my network packets are all manually encoded and decoded with the data that they need and nothing else).
I am considering adding a hard dependency on this Mod though, once it is validated to be safe. The reason I think it is unsafe is because it downloads a json file for auto-configuration purposes to stay up to date. Which in on itself might be exploitable, but I am unsure about that.
@Demosthenex I was just about to make a post asking you about this, have you checked DD’s safety yet? We have quite a few mods
After the initial discovery, we discovered that a bad actor scanned all Minecraft servers on the IPv4 address space to mass-exploit vulnerable servers. A likely malicious payload was then deployed onto all affected servers.
-Bleeding Pipe: A RCE vulnerability exploited in the wild
We’re on a nonstandard port, and as I understand it you must be able to login (ie: on the whitelist). No concerns yet.
I decided to just link Releases · dogboy21/serializationisbad · GitHub on my downloads page, that should be more than enough.