A dangerous bug in Minecraft Java Edition (versions 1.19 and early 1.20 pre-releases) lets malicious world save files overwrite any file on your computer—and in some cases, even run unwanted code! This happens because Minecraft trusts dangerous files, especially symbolic links (symlinks), when you load or generate worlds. Here’s what happened, how it can be abused, and how to protect yourself.
What Is CVE-2023-33245?
CVE-2023-33245 is a vulnerability in the Minecraft Java Edition world save system. It affects Minecraft 1.19 and 1.20 pre-releases before 1.20-pre7. The bug allows a crafted world save file to upload symlinks into your game directory. These symlinks can overwrite existing files anywhere on your system that Minecraft has permission to access.
In some situations, overwriting specific files may let an attacker execute code on your computer, putting your system at risk.
Why This Is Dangerous
- Arbitrary File Overwrite: Someone can trick you into loading a Minecraft world file that contains a symlink pointing to, say, your .minecraft/options.txt or worse, important system files.
- Potential Code Execution: Overwriting files like launcher_profiles.json or even game mods/scripts could result in the game running code chosen by the attacker.
- Low User Awareness: Just loading a world file—something lots of players do from the Internet (“download this epic map!”)—can be dangerous if it contains hidden symlinks.
The Technical Details
Minecraft world data is zipped up as .zip or .mcworld files. When a world is imported, Minecraft unzips the contents into your saves folder. But until this issue was patched, Minecraft didn’t check if any file in the zip was a symlink. Operating systems like Unix/Linux and macOS (and sometimes Windows via junctions) use symlinks to point files and folders at others, even outside the game directory.
So: If a zip contains a symlink called, for example, session.lock that points to a file like /home/alice/.bashrc or C:\Windows\System32\drivers\etc\hosts, Minecraft extracts the symlink—now *modifying files outside the intended place*.
Suppose an attacker makes a zip with
level.dat
data/
region/
symlink-to-launcher_profiles.json → ~/.minecraft/launcher_profiles.json
Minecraft would overwrite the real launcher_profiles.json next time it’s loaded. Depending on the file overwritten, the attacker might take over your game, compromise mod launchers, or worse.
### Code Example: Making a Malicious World Archive (Linux/macOS)
Let's see how a symlink can be made and zipped up
# Make folder for attack
mkdir evilworld
cd evilworld
# Create a normal file
echo "Minecraft World Data" > harmless.txt
# Create a symlink pointing outside saved folder
ln -s /home/yourusername/.bashrc symlink-bashrc
# Zip the folder, preserving symlinks
zip -r evilworld.zip ./*
Now, the evilworld.zip archive contains a symlink. When Minecraft extracts it without checking, it could overwrite ~/.bashrc, a crucial script file for Linux users.
Real Exploit Scenario
Let’s say you download a “cool adventure map” from a sketchy website. Unzipping the map file inside your Minecraft saves folder, you unknowingly install one or more symlinks. When you launch Minecraft and select the world, the client extracts these files, replacing crucial configs. If the attacker targets a Minecraft-specific file, next time you open the game or use a modded launcher, it may run code chosen by the attacker. Boom—you’re owned.
Links To References
- CVE-2023-33245 entry at NVD
- Mojang Security Advisory (MC-261380)
- Minecraft changelog for 1.20-pre7 (fixes CVE-2023-33245)
- Security Researcher Blog (Assetnote)
How Was It Fixed?
After reporting, Mojang fixed the bug in 1.20 Pre-Release 7. Minecraft now better sanitizes incoming world data before extracting it, specifically stripping or blocking symlinks.
Use Antivirus Software: It can catch some malicious file changes, but this is not foolproof.
- Check Save Files: On Linux/macOS, after unzipping a world folder, run ls -l to see if there are any symlinks.
Final Thoughts
CVE-2023-33245 is a great example of why file handling in games is a *serious* security problem—especially in a world as modded and community-driven as Minecraft’s. If you ever download worlds from random places, especially on Linux/macOS, remember: a map can be more than a map—it can be a trojan horse. Always keep your game updated, and be suspicious of files from strangers.
Stay safe and keep crafting!
*[Please note: Code is for educational demonstration. Don’t use this info for harm.]*
Timeline
Published on: 05/30/2023 05:15:00 UTC
Last modified on: 06/05/2023 18:34:00 UTC