Background
On September 16, 2022, I created an exploit in Minecraft's component handler that allows someone to crash the clients of every player nearby by simply spawning an entity with a specific name or placing a sign with a specific line of text. The exploit is extremely versatile, as it can be deployed in several different ways with instant results.
This exploit (code-named Commando) affects nearly every modern version of Minecraft, with versions 1.7.2 all the way up to 1.19.2 being vulnerable to this exploit in at least some capacity. Worse yet, the exploit is extremely reliable as there is a consistently working method that works with versions 1.8 to 1.19.2.
The exploit itself has already been reported to Mojang, but it has yet to be patched officially.
The Patch
Due to the extremely powerful nature of this exploit, I have decided to publicly disclose it and provide a patch. This patch is all you need in order to become immune to the exploit. 1.19.x users may need to tweak the patch a little to target class files different from the >1.19 versions.
@Mixin(TranslatableText.class)
public class BoundlessTranslation
{
@Shadow @Final private static StringVisitable NULL_ARGUMENT;
@Inject(method = "getArg", at = @At("HEAD"), cancellable = true)
public void fixCrashExploit(int index, CallbackInfoReturnable<StringVisitable> cir)
{
if (index < 0)
{
cir.setReturnValue(NULL_ARGUMENT);
}
}
}If you use WNT, make sure to update to the latest version (currently supporting 1.17.1 to 1.18.2). I can provide a working JAR to anyone who asks. You should patch your client as soon as possible.