Minecraft Java Edition vulnerable to directory traversal


Minecraft Java Edition provided by Mojang Studios contains a directory traversal vulnerability (CWE-22).

RyotaK reported this vulnerability to the developer and coordinated on his own.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

Mojang Studios
  • Minecraft 1.17 and earlier


Arbitrary JSON files on the system using the product may be deleted by an attacker.

[Update Minecraft]
Update Minecraft to the latest version according to the information provided by the developer. The developer fixed the vulnerability and released 1.17.1 Pre-release 1 (1.17.1-pre).

The users of Spigot or Forge released for the following Minecraft versions are recommended to apply the latest versions for the respective products. In this way, users of Spigot or Forge are not required to change Minecraft version, and the impact of this vulnerability can be mitigated.
  • Spigot
    • Minecraft 1.16.5
    • Minecraft 1.17

  • Forge
    • Minecraft 1.15.2
    • Minecraft 1.16.5
Vendor Information

Mojang Studios
CWE (What is CWE?)

  1. Path Traversal(CWE-22) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-35054

  1. JVN : JVN#53278122
Revision History

  • [2021/07/21]
      Web page was published