UI-Utils WebSocket RCE: Root Cause and Fix

Summary

Impact: Remote command execution via the in-game WebSocket command server from a malicious website.
Root cause: Origin validation used startsWith, so any origin prefixed with an allowed domain (e.g., https://ui-utils.com.attacker.tld) was treated as trusted. Browsers enforce Origin, so a hostile page could supply that value and get authorized.
Fix: Require exact origin equality (origin::equals) in both WebSocket entry points. This blocks prefix-based spoofing while keeping the allowlist intact.

The WebSocket command server authorizes a connection solely by comparing the request Origin header against an allowlist. Before the fix it accepted any origin that started with an allowed value.

iamnotpayingforyourpatreon / Compiling or Building a Minecraft Plugin.md

Created July 10, 2024 03:48

Compiling / Building a Minecraft Plugin

This tutorial will explain from nothing how to build/create a Minecraft Bukkit/Spigot/Paper Plugin for it's source code on GitHub.

I am assuming you don't know anything and don't have anything installed and are using a Windows device.

Watch these tutorial videos (very short).

iamnotpayingforyourpatreon / Download CoreProtect 1.21.10.md

Last active December 15, 2025 13:55

Download CoreProtect 1.21.10

updated 8th Dec, 2025 for 1.21.10

This tutorial will explain from nothing how to build/create the CoreProtect plugin or 1.21.10 from it's source code on GitHub.

I am assuming you don't know anything and don't have anything installed and are using a Windows device.

Watch these tutorial videos (very short).