Impact
If user input is passed directly to minetest.deserialize (ie: without serializing it first), then a malicious user could run Lua code in the server environment.
Mods should never pass user input to minetest.deserialize. Even after this fix, passing user input is still highly problematic as it can cause freezes and denial of service.
Because passing user input to this function is inherently insecure, this issue isn't considered a vulnerability by itself. But when you combine this issue with GHSA-hwj2-xf72-r4cf it's possible to execute code without any mods being at fault.
If the mod security sandbox is disabled, then it would be possible for attackers to access the host system.
Patches
8d6a0b9
Workarounds
Updating to Minetest 5.4 or later is recommended.
You should also make sure that no mods pass user input to minetest.deserialize, and ensure that you apply fixes for GHSA-hwj2-xf72-r4cf
References
#9369
luk3yx Analyst
Impact
If user input is passed directly to
minetest.deserialize(ie: without serializing it first), then a malicious user could run Lua code in the server environment.Mods should never pass user input to
minetest.deserialize. Even after this fix, passing user input is still highly problematic as it can cause freezes and denial of service.Because passing user input to this function is inherently insecure, this issue isn't considered a vulnerability by itself. But when you combine this issue with GHSA-hwj2-xf72-r4cf it's possible to execute code without any mods being at fault.
If the mod security sandbox is disabled, then it would be possible for attackers to access the host system.
Patches
8d6a0b9
Workarounds
Updating to Minetest 5.4 or later is recommended.
You should also make sure that no mods pass user input to
minetest.deserialize, and ensure that you apply fixes for GHSA-hwj2-xf72-r4cfReferences
#9369