Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-14701

CVE-2025-14701: Crafty Controller Stored XSS Vulnerability

CVE-2025-14701 is a stored XSS vulnerability in Crafty Controller's Server MOTD component that allows unauthenticated attackers to inject malicious scripts. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-14701 Overview

CVE-2025-14701 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Server MOTD (Message of the Day) component of Crafty Controller, a web-based Minecraft server management platform. The flaw stems from improper neutralization of user-supplied input during MOTD modification. A remote, unauthenticated attacker can inject persistent JavaScript payloads that execute in the browser of any authenticated user who views the affected server view. The vulnerability is classified under CWE-79 and carries a CVSS 3.1 score of 7.1.

Critical Impact

Unauthenticated attackers can inject stored JavaScript through the Server MOTD field, leading to session hijacking, credential theft, and unauthorized actions against authenticated Crafty Controller administrators.

Affected Products

  • Crafty Controller (crafty-4) — versions prior to the patched release
  • Self-hosted Crafty Controller deployments exposing the web management interface
  • Minecraft server instances managed through the Crafty Controller panel

Discovery Timeline

  • 2025-12-17 - CVE-2025-14701 published to NVD
  • 2025-12-23 - Last updated in NVD database

Technical Details for CVE-2025-14701

Vulnerability Analysis

The vulnerability resides in how Crafty Controller processes and renders the Server MOTD field. The MOTD is a server-side string broadcast by Minecraft servers and surfaced inside the Crafty Controller web management dashboard. Because the application fails to neutralize HTML and JavaScript metacharacters before rendering the MOTD in the panel, attacker-controlled markup is treated as executable content by the browser.

The attack is remote and requires no authentication on the Crafty Controller side. An attacker only needs to control or influence the MOTD value advertised by a Minecraft server visible to the panel, or to abuse any unauthenticated path that writes to the MOTD store. User interaction is required: a logged-in operator must view the relevant page for the injected payload to fire.

Once the payload executes, it runs in the authenticated session context of the operator. This enables session token theft, forced configuration changes, creation of administrative users, or pivoting toward the underlying host via Crafty Controller's server management functionality.

Root Cause

The root cause is missing or insufficient output encoding of the MOTD string before it is inserted into the DOM of the Crafty Controller management interface. The component fails to apply contextual HTML entity encoding, allowing <script> tags and event-handler attributes to be parsed as code rather than displayed as text.

Attack Vector

The attack vector is network-based with low complexity. An attacker sets a malicious MOTD containing JavaScript on a server tracked by Crafty Controller. When an administrator opens the server view in the panel, the payload executes under the panel's origin. Refer to the GitLab Issue Report for technical details on the affected code path.

No verified exploit code available. See the upstream issue tracker for proof-of-concept details.

Detection Methods for CVE-2025-14701

Indicators of Compromise

  • MOTD field values containing HTML tags such as <script>, <img onerror=, or <svg onload= stored in Crafty Controller's database
  • Outbound HTTP requests from administrator browsers to unfamiliar domains immediately after opening the Crafty Controller panel
  • Unexpected creation of new Crafty Controller user accounts or role changes correlated with administrator panel access

Detection Strategies

  • Review the Crafty Controller database and configuration stores for MOTD entries containing HTML control characters (<, >, ", ', &) or JavaScript keywords
  • Inspect web server access logs for POST or PUT requests targeting MOTD-related endpoints from unauthenticated sources
  • Deploy Content Security Policy (CSP) reporting to capture inline script execution attempts within the panel origin

Monitoring Recommendations

  • Enable browser CSP report-uri or report-to directives to surface XSS attempts against the management interface
  • Monitor authentication and authorization logs for anomalous session activity following MOTD updates
  • Alert on administrative API calls (user creation, server start/stop, file edits) that occur within seconds of a panel page load

How to Mitigate CVE-2025-14701

Immediate Actions Required

  • Upgrade Crafty Controller to the latest patched release available from the project repository
  • Restrict network access to the Crafty Controller web interface using a VPN, reverse proxy with authentication, or IP allowlisting
  • Audit existing MOTD values across all managed servers and sanitize any entries containing HTML or script content
  • Rotate Crafty Controller administrator credentials and invalidate active sessions after patching

Patch Information

The maintainers tracked the issue at GitLab Issue #647. Operators should pull the latest crafty-4 release that addresses the input neutralization gap in the MOTD rendering path. Verify the deployed version after upgrade and confirm the fix by attempting to render a benign HTML-tagged MOTD value.

Workarounds

  • Place the Crafty Controller panel behind a reverse proxy that enforces a strict Content Security Policy disallowing inline scripts
  • Limit which Minecraft servers the panel ingests MOTD data from to trusted sources only
  • Configure browser-side script blocking extensions for administrators accessing the panel until the patch is applied
bash
# Example nginx reverse proxy CSP header to limit XSS impact
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.