CVE-2025-61680
BaseFortify
Publication date: 2025-10-03
Last updated on: 2025-10-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jaketcooper | minecraft_rcon | 2.1.0 |
| jaketcooper | minecraft_rcon | 2.0.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-256 | The product stores a password in plaintext within resources such as memory or files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Minecraft RCON Terminal, a VS Code extension, is that versions 0.1.0 through 2.0.6 store passwords using VS Code's configuration API which writes them in plaintext to the settings.json file. This means sensitive password information is not encrypted or protected, making it accessible to anyone who can read that file. The issue is fixed in version 2.1.0.
How can this vulnerability impact me? :
This vulnerability can impact you by exposing your Minecraft server passwords in plaintext within the settings.json file. If an unauthorized person gains access to this file, they can retrieve the passwords and potentially take control of your Minecraft server, leading to unauthorized access and possible server compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
Storing passwords in plaintext can violate security best practices required by common standards and regulations such as GDPR and HIPAA, which mandate protecting sensitive information. This vulnerability could lead to non-compliance due to inadequate protection of authentication credentials, increasing the risk of data breaches and associated penalties.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the Minecraft RCON Terminal VS Code extension to version 2.1.0 or later, as this version fixes the issue of storing passwords in plaintext in the settings.json file.