CurseForge WebSocket Flaw Exposes Users to Remote Code Execution Risk

CurseForge WebSocket Flaw Enabled Browser-Based Remote Code Execution

A recently disclosed vulnerability in the CurseForge desktop launcher highlighted how seemingly harmless local services can expose users to serious risks. A researcher discovered that the launcher’s local WebSocket server failed to validate the Origin header and required no authentication, allowing any website visited by the user to send commands directly to the application via localhost. This flaw created a path to remote code execution (RCE) under the right conditions.

Why This Vulnerability Matters

Local WebSocket servers are commonly used by desktop applications to facilitate communication between components. However, without proper security controls, such services can unintentionally bridge web content and local execution environments. Modern browsers allow websites to communicate with localhost by design, primarily for legitimate purposes such as detecting local services. If an application does not enforce strict request validation, attackers may exploit this mechanism.

CurseForge's vulnerability serves as a reminder that desktop software used by gamers—often perceived as low‑risk—can present severe security issues. The rise of modding platforms, companion apps, and game launchers has created new attack surfaces that cybercriminals increasingly target.

How the WebSocket Exploit Worked

The core issue stemmed from CurseForge's local WebSocket server, which was exposed without any authentication or origin checks. This meant:

• Any website could attempt to communicate with the service.
• The server accepted requests without verifying they came from the launcher itself.
• Several actions could be invoked remotely, including creating and launching modpacks.

One particular API method stood out: minecraftTaskLaunchInstance, which accepted arbitrary Java Virtual Machine (JVM) arguments. By combining two WebSocket calls—creating a modpack and launching it with attacker‑controlled JVM flags—a malicious site could cause the victim’s system to execute unintended commands.

The researcher demonstrated this using JVM parameters that intentionally triggered an out‑of‑memory error, causing Windows to execute a supplied command. While the proof‑of‑concept only opened the calculator application, the mechanism could be adapted for malicious purposes.

The Role of Randomised Ports

CurseForge randomised the WebSocket port on each launch, but this provided limited protection. Browsers based on Chromium can scan thousands of local ports quickly, allowing attackers to locate the active port reliably. Firefox struggled with this volume, offering partial protection, but Chromium's behaviour made the attack viable for most users.

Timeline and Patch

The vulnerability remained exploitable for just over three months before a fix was deployed. Following notification, the issue was acknowledged and ultimately patched in version 1.289.3. The publication of the research occurred only after the updated version had been rolled out to users.

Broader Implications for Gamers and Developers

This incident highlights several important themes:

1. Desktop Gaming Tools Are High‑Value Targets

Modding platforms often run with elevated permissions or interact deeply with system resources. This makes them attractive to attackers.

2. Local Services Require Strong Security Controls

Even local‑only APIs must implement origin validation and authentication. The assumption that local equals safe is outdated.

3. Routine Updates Are Essential

For end‑users, the only reliable defence is to update applications promptly. Delayed patching leaves systems exposed long after a fix becomes available.

Conclusion

The CurseForge WebSocket vulnerability underscores how small oversights in local service security can create major risks. As gaming ecosystems grow increasingly complex, developers must remain vigilant in securing their tools, and users must keep their software up to date to minimise exposure.

What do you think? Let me know in the comments.