CVE-2023-29478

CRITICAL

BiblioCraft < 2.4.6 - Path Traversal and Remote Code Execution via Filename Sanitization Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-29478. PoCs published by Exopteron.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2023-29478, targeting a remote code execution vulnerability in Bibliocraft mod for Minecraft. The exploit leverages NBT data manipulation and jar file injection to achieve arbitrary code execution.

Description

BiblioCraft before 2.4.6 does not sanitize path-traversal characters in filenames, allowing restricted write access to almost anywhere on the filesystem. This includes the Minecraft mods folder, which results in code execution.

Exploits (1)

nomisec WORKING POC 14 stars
by Exopteron · poc
https://github.com/Exopteron/BiblioRCE

This repository contains a functional proof-of-concept exploit for CVE-2023-29478, targeting a remote code execution vulnerability in Bibliocraft mod for Minecraft. The exploit leverages NBT data manipulation and jar file injection to achieve arbitrary code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Bibliocraft mod for Minecraft (likely 1.12.2 and other versions)
No auth needed
Prerequisites: Access to a Minecraft server with Bibliocraft mod installed · Ability to execute in-game commands
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory
https://github.com/Exopteron/BiblioRCE

Scores

CVSS v3 9.8
EPSS 0.0167
EPSS Percentile 73.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-22
Status published
Products (1)
bibliocraftmod/bibliocraft < 2.4.6
Published Apr 07, 2023
Tracked Since Feb 18, 2026