← Signals
- lunar
- modrinth
- electron
- rce
- exploitarium
news
Lunar Client Modrinth Explore RCE Chain
rehypeRaw Markdown + preload IPC forges Modrinth profile overrides and openExternal local launcher — critical candidate CVSS ~9.6.
Summary
RehypeRaw Markdown + preload IPC forges Modrinth profile overrides and openExternal local launcher — critical candidate CVSS ~9.6. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.
Key Findings
| Finding | Detail |
|---|---|
| Product / target | Lunar Client (Electron) June 2026 builds |
| Primitive | Raw HTML in Explore + profile override extraction + shell.openExternal on .lnk |
| Impact | Victim views malicious Modrinth project in Explore → desktop-user code execution without launching Minecraft. |
Attack Chain
Malicious MD → iframe JS → forge profile → extract overrides → openExternal launcher
Mitigation
Sanitize Modrinth HTML; restrict openExternal; validate override paths outside user-writable dirs.