I run a Fabric server. Does this vulnerability affect it?

Yes. This is a core mod though, so it's compatible with both loaders. Check the installation instructions.

To give some context to this, the project was really only made with Forge in-mind as that is where most of the exploit users were coming from. We are working to ensure compatibility with other loaders and across versions as much as possible. It is compatible with lots of versions already, but we need more testers on more platforms to be sure and help work out any bugs.

In theory, the vulnerability could affect any mod that is using unsafe use of the Java serialization feature in network packets. While we haven't seen any cases yet, there is always the possibility. We just don't have enough information at this time to officially confirm anything.

Yes. This is a core mod though, so it's compatible with both loaders. Check the installation instructions.

I'm not using Forge, so I used the second set of instructions with the -javaagent: thing, but that just immediately crashes my server.

joptsimple.UnrecognizedOptionException: a is not a recognized option
	at joptsimple.OptionException.unrecognizedOption(OptionException.java:108) ~[jopt-simple-5.0.4.jar:?]
	at joptsimple.OptionParser.validateOptionCharacters(OptionParser.java:633) ~[jopt-simple-5.0.4.jar:?]
	at joptsimple.OptionParser.handleShortOptionCluster(OptionParser.java:528) ~[jopt-simple-5.0.4.jar:?]
	at joptsimple.OptionParser.handleShortOptionToken(OptionParser.java:523) ~[jopt-simple-5.0.4.jar:?]
	at joptsimple.OptionParserState$2.handleArgument(OptionParserState.java:59) ~[jopt-simple-5.0.4.jar:?]
	at joptsimple.OptionParser.parse(OptionParser.java:396) ~[jopt-simple-5.0.4.jar:?]
	at net.minecraft.server.Main.main(Main.java:90) ~[server-intermediary.jar:?]
	at net.fabricmc.loader.impl.game.minecraft.MinecraftGameProvider.launch(MinecraftGameProvider.java:468) ~[fabric-loader-0.14.21.jar:?]
	at net.fabricmc.loader.impl.launch.knot.Knot.launch(Knot.java:74) ~[fabric-loader-0.14.21.jar:?]
	at net.fabricmc.loader.impl.launch.knot.KnotServer.main(KnotServer.java:23) ~[fabric-loader-0.14.21.jar:?]
	at net.fabricmc.loader.impl.launch.server.FabricServerLauncher.main(FabricServerLauncher.java:69) ~[fabric-loader-0.14.21.jar:?]
	at net.fabricmc.installer.ServerLauncher.main(ServerLauncher.java:69) ~[fabric-server-mc.1.20.1-loader.0.14.21-launcher.0.11.2.jar:0.11.2]

What version of Fabric are you using?

[17:49:36] [main/INFO]: Loading Minecraft 1.20.1 with Fabric Loader 0.14.21

I am guessing this will probably be fixed in #43

"C:\Program Files\Java\jdk-17.0.1\bin\java.exe" -server -Xmx8G -Xms1024M -jar fabric-server-mc.1.20.1-loader.0.14.21-launcher.0.11.2.jar nogui -javaagent:serializationisbad-1.3.jar

@CyanRyan Could you please post the whole command you used to start the server? It looks like you placed the -javaagent argument at the wrong location

-javaagent has to be before -jar

ETA: side note, Xms is not particularly useful and it's generally not beneficial to mess with it.

-javaagent before -jar just immediately causes the server to crash without so much as generating a latest.log.

tried the latest action build on fabric 1.20.1 server - didn't went far: https://mclo.gs/fkJHAje

This issue is fixed in the 1.4 prerelease.

Thanks for the confirmation! Closing the issue.