CVE-2024-56141 in Minosoftinfo

Summary

by MITRE • 07/07/2026

Minosoft is an open-source, multi-version Minecraft Java Edition client written in Kotlin. Starting in commit f1ae30e2b046a490026a8413b075685deb795122, the CryptManager  encryption routine ( CryptManager.kt ) initializes its AES cipher using an initialization vector (IV) that is set equal to the secret key rather than to a sufficiently random value. Because the IV is not random and is derived directly from the key, the encryption is vulnerable to chosen-ciphertext/chosen-plaintext attacks: an attacker who can submit specific messages for encryption can recover the secret key. This affects all versions supporting Minecraft protocol 1.7 and later. No patched version is available, and no known workarounds are available.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/07/2026

The vulnerability in Minosoft's CryptManager encryption routine represents a critical cryptographic flaw that fundamentally undermines the security of encrypted communications within the client. This issue stems from a fundamental misimplementation of AES encryption principles where the initialization vector is directly derived from the secret key rather than being generated as a random value. The cryptographic error occurs in the commit f1ae30e2b046a490026a8413b075685deb795122 and affects all versions supporting Minecraft protocol 1.7 and later, making it a widespread vulnerability across multiple client implementations.

The technical flaw manifests as a direct violation of cryptographic best practices outlined in standards such as NIST SP 800-38A and CWE-329 which specifically addresses the weakness of using predictable or non-random IVs in encryption operations. When an initialization vector is derived from the secret key itself, it creates a deterministic relationship that allows attackers to perform chosen-ciphertext attacks, where they can submit carefully crafted messages for encryption and subsequently deduce the secret key through mathematical analysis of the encryption outputs. This vulnerability directly maps to CWE-327 which addresses the use of weak encryption algorithms and improper implementation of cryptographic functions.

The operational impact of this vulnerability is severe for any system relying on Minosoft's client for Minecraft protocol communications, as it effectively eliminates the confidentiality guarantees that encryption is meant to provide. An attacker with the ability to submit specific messages for encryption can exploit this weakness to recover the secret key, potentially compromising all subsequent encrypted communications within the Minecraft network. This vulnerability affects not just individual user data but could also compromise server communications and game state integrity. The lack of available patched versions and known workarounds means that users cannot remediate the issue through standard security updates, leaving them exposed to potential attacks indefinitely.

The attack surface for this vulnerability extends beyond simple data interception to include potential man-in-the-middle scenarios where attackers can manipulate encrypted communications between clients and servers. This weakness aligns with ATT&CK technique T1566 which covers social engineering and credential access through manipulation of encrypted channels, though in this case the manipulation occurs through mathematical exploitation rather than social engineering. The vulnerability represents a critical failure in cryptographic implementation that violates fundamental security principles and creates an exploitable condition that can be leveraged for broader network attacks against Minecraft protocol communications. Organizations and individuals using Minosoft clients should consider this vulnerability as requiring immediate operational remediation through alternative client implementations until proper cryptographic fixes are available, given the absence of any viable workarounds or patches.

Responsible

GitHub M

Reservation

12/16/2024

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!