CVE-2024-56141
Received Received - Intake

Cryptographic Weakness in Minosoft Client Leads to Key Recovery

Vulnerability report for CVE-2024-56141, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Minosoft is an open-source, multi-version Minecraft Java Edition client written in Kotlin. Starting in commit f1ae30e2b046a490026a8413b075685deb795122, the CryptManager  encryption routine ( CryptManager.kt ) initializes its AES cipher using an initialization vector (IV) that is set equal to the secret key rather than to a sufficiently random value. Because the IV is not random and is derived directly from the key, the encryption is vulnerable to chosen-ciphertext/chosen-plaintext attacks: an attacker who can submit specific messages for encryption can recover the secret key. This affects all versions supporting Minecraft protocol 1.7 and later. No patched version is available, and no known workarounds are available.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
bixilon minosoft From 1.7 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-329 The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in Minosoft involves an encryption flaw where the AES cipher's Initialization Vector (IV) is incorrectly set to the secret key instead of a sufficiently random value. This happens in the CryptManager.kt file. Because the IV is not random and is derived directly from the key, the encryption is weakened and vulnerable to chosen-ciphertext and chosen-plaintext attacks.

An attacker who can submit specific messages for encryption can exploit this flaw to recover the secret key, compromising the encryption security. This affects all versions of Minosoft supporting Minecraft protocol 1.7 and later. No patched versions or workarounds are currently available.

Impact Analysis

This vulnerability can impact you by allowing an attacker to recover the secret encryption key used by the Minosoft client. With the key compromised, the attacker can decrypt sensitive data, manipulate encrypted communications, and potentially impersonate legitimate users.

The weakened encryption threatens confidentiality, integrity, and availability of data transmitted or stored using this encryption. The attack requires network access but no elevated privileges or user interaction, making it a moderate risk.

Detection Guidance

This vulnerability involves the CryptManager.kt file in the Minosoft client where the AES cipher's initialization vector (IV) is incorrectly set to the secret key instead of a random value. Detection involves identifying if the vulnerable version of Minosoft (version 1.7 or later) is in use.

Since the vulnerability is in the encryption routine, detection on the network could involve monitoring for encrypted traffic patterns that suggest weak IV usage or attempts to exploit chosen-ciphertext attacks. However, no specific detection commands or signatures are provided.

On the system, you can check the version of Minosoft installed and inspect the CryptManager.kt file for the vulnerable code snippet: specifically, the line initializing the cipher with the IV set to the key (cipher.init(opMode, key, IvParameterSpec(key.encoded))).

  • Use file search commands to find the vulnerable code, for example on Linux: grep -rnw '/path/to/minosoft/' -e 'IvParameterSpec(key.encoded)'
  • Check the Minosoft version to confirm if it is 1.7 or later, which are affected.
Mitigation Strategies

Currently, there are no patched versions or known workarounds available for this vulnerability.

Immediate mitigation steps include:

  • Avoid using vulnerable versions of Minosoft (1.7 and later) until a patch is released.
  • Restrict network access to the Minosoft client to trusted environments to reduce the risk of an attacker submitting chosen ciphertexts.
  • Monitor network traffic for suspicious activity that could indicate exploitation attempts.

Long term, apply updates from the Minosoft project once a fix is available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-56141. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart