CVE-2021-33790
CRITICALRebornCore < 3.13.8 - Remote Code Execution via Untrusted Data Deserialization
Title source: llmDescription
The RebornCore library before 4.7.3 allows remote code execution because it deserializes untrusted data in ObjectInputStream.readObject as part of reborncore.common.network.ExtendedPacketBuffer. An attacker can instantiate any class on the classpath with any data. A class usable for exploitation might or might not be present, depending on what Minecraft modifications are installed.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_misc
https://vuln.ryotak.me/advisories/45
Third Party Advisory x_refsource_misc
https://github.com/TechReborn/RebornCore/security/advisories/GHSA-r7pg-4xrf-7mrm
Product, Third Party Advisory x_refsource_misc
https://www.curseforge.com/minecraft/mc-mods/reborncore
Scores
CVSS v3
9.8
EPSS
0.0284
EPSS Percentile
84.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (1)
techreborn/reborncore
< 3.13.8
Published
May 31, 2021
Tracked Since
Feb 18, 2026