CVE-2025-27107

Integrated Scripting is a tool for creating scripts for handling complex operations in Integrated Dynamics. Minecraft users who use Integrated Scripting prior to versions 1.21.1-1.0.17, 1.21.4-1.0.9-254, 1.20.1-1.0.13, and 1.19.2-1.0.10 may be vulnerable to arbitrary code execution. By using Java reflection on a thrown exception object it's possible to escape the JavaScript sandbox for IntegratedScripting's Variable Cards, and leverage that to construct arbitrary Java classes and invoke arbitrary Java methods. This vulnerability allows for execution of arbitrary Java methods, and by extension arbitrary native code e.g. from `java.lang.Runtime.exec`, on the Minecraft server by any player with the ability to create and use an IntegratedScripting Variable Card. Versions 1.21.1-1.0.17, 1.21.4-1.0.9-254, 1.20.1-1.0.13, and 1.19.2-1.0.10 fix the issue.
CVSS

No CVSS.

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type Values Removed Values Added
Summary
  • (es) Integrated Scripting es una herramienta para crear scripts que gestionan operaciones complejas en Integrated Dynamics. Los usuarios de Minecraft que usan Integrated Scripting en versiones anteriores a las 1.21.1-1.0.17, 1.21.4-1.0.9-254, 1.20.1-1.0.13 y 1.19.2-1.0.10 pueden ser vulnerables a la ejecución de código arbitrario. Al usar la reflexión de Java en un objeto de excepción lanzado, es posible escapar del entorno de pruebas de JavaScript para las tarjetas de variables de IntegratedScripting y aprovecharlo para construir clases e invocar métodos Java arbitrarios. Esta vulnerabilidad permite la ejecución de métodos Java arbitrarios y, por extensión, de código nativo arbitrario (por ejemplo, de `java.lang.Runtime.exec`) en el servidor de Minecraft por cualquier jugador con la capacidad de crear y usar una tarjeta de variables de IntegratedScripting. Las versiones 1.21.1-1.0.17, 1.21.4-1.0.9-254, 1.20.1-1.0.13 y 1.19.2-1.0.10 solucionan el problema.

13 Mar 2025, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-03-13 17:15

Updated : 2026-06-17 09:03


NVD link : CVE-2025-27107

Mitre link : CVE-2025-27107

CVE.ORG link : CVE-2025-27107


JSON object : View

Products Affected

No product.

CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')