Xianyulauncher
Monthly
XianYuLauncher, a Minecraft Java Edition launcher, exposes Microsoft OAuth authentication tokens to local attackers in all versions prior to 1.5.5 due to an OAuth 2.0 Authorization Code flow implemented without PKCE or state parameter validation. A local attacker running a concurrent process on the same machine can race the launcher's fixed localhost redirect URI to intercept the authorization code, then exchange it for valid Microsoft and Minecraft access tokens without any special privileges. Compounding the exposure, ClientToken was stored on disk in plaintext and JWT/Bearer tokens could be leaked into log output. No public exploit has been identified and this vulnerability is not listed in CISA KEV.
XianYuLauncher, a Minecraft Java Edition launcher, exposes Microsoft OAuth authentication tokens to local attackers in all versions prior to 1.5.5 due to an OAuth 2.0 Authorization Code flow implemented without PKCE or state parameter validation. A local attacker running a concurrent process on the same machine can race the launcher's fixed localhost redirect URI to intercept the authorization code, then exchange it for valid Microsoft and Minecraft access tokens without any special privileges. Compounding the exposure, ClientToken was stored on disk in plaintext and JWT/Bearer tokens could be leaked into log output. No public exploit has been identified and this vulnerability is not listed in CISA KEV.