CVE-2025-14701 Overview
CVE-2025-14701 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Server MOTD (Message of the Day) component in Crafty Controller, a popular web-based Minecraft server management interface. The vulnerability stems from improper input neutralization, allowing remote, unauthenticated attackers to inject malicious scripts through server MOTD modification.
When a Minecraft server's MOTD is modified to include malicious JavaScript payloads, the Crafty Controller web interface fails to properly sanitize this input before rendering it to administrators and users. This allows the attacker's script to execute in the context of authenticated users' browsers when they view the server status or dashboard.
Critical Impact
Remote unauthenticated attackers can execute arbitrary JavaScript in the browsers of Crafty Controller users, potentially leading to session hijacking, credential theft, or administrative account compromise.
Affected Products
- Craftycontrol Crafty Controller (all versions prior to patch)
Discovery Timeline
- 2025-12-17 - CVE-2025-14701 published to NVD
- 2025-12-23 - Last updated in NVD database
Technical Details for CVE-2025-14701
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) exists because the Crafty Controller application does not properly sanitize or encode server MOTD content before displaying it in the web interface. The Server MOTD is a configurable text field that Minecraft servers broadcast to clients, and Crafty Controller displays this information on its dashboard and server management pages.
The attack is particularly concerning because it does not require authentication. An attacker can manipulate the MOTD through the Minecraft server itself or through external means, and the malicious payload will persist in the system, executing each time a legitimate user views the affected content.
The vulnerability requires user interaction (a victim must navigate to a page displaying the malicious MOTD), but once triggered, the attacker gains access to the victim's session context, enabling actions such as reading sensitive data, modifying server configurations, or pivoting to other attacks.
Root Cause
The root cause is improper input neutralization for web page rendering. The Crafty Controller application trusts MOTD data from Minecraft servers without implementing adequate output encoding or Content Security Policy (CSP) restrictions. When the MOTD content is rendered in HTML context, any embedded JavaScript or HTML tags are interpreted by the browser rather than being displayed as plain text.
This represents a failure to follow secure coding practices that require all user-controllable or external data to be treated as untrusted and properly encoded before inclusion in web pages.
Attack Vector
The attack vector is network-based, requiring no prior authentication to the Crafty Controller system. An attacker can exploit this vulnerability by:
- Gaining control of or creating a Minecraft server that Crafty Controller monitors
- Setting the server's MOTD to include malicious JavaScript payload
- Waiting for Crafty Controller to poll the server's status and cache the malicious MOTD
- Any authenticated user viewing the dashboard or server status triggers the payload execution
The malicious script executes with the full privileges of the victim's browser session, potentially allowing the attacker to steal session cookies, perform actions as the victim, or redirect users to malicious sites. For more technical details, see the GitLab Issue Discussion.
Detection Methods for CVE-2025-14701
Indicators of Compromise
- Unusual JavaScript code or HTML tags present in server MOTD fields
- Unexpected outbound connections from user browsers to unknown domains when accessing Crafty Controller
- Server MOTD content containing <script>, onerror=, onload=, or other event handlers
- Browser console errors indicating blocked or executed inline scripts
Detection Strategies
- Monitor server MOTD content for suspicious patterns including script tags, event handlers, and encoded JavaScript
- Implement web application firewall (WAF) rules to detect and block XSS payloads in server responses
- Review Crafty Controller access logs for unusual activity patterns following dashboard views
- Deploy browser-based XSS detection tools for administrators accessing the interface
Monitoring Recommendations
- Enable verbose logging in Crafty Controller to capture MOTD update events
- Configure SentinelOne Singularity XDR to monitor for suspicious browser behavior and script execution
- Set up alerts for changes to server MOTD content, especially from external sources
- Implement Content Security Policy reporting to detect inline script execution attempts
How to Mitigate CVE-2025-14701
Immediate Actions Required
- Review all connected Minecraft servers' MOTD content for malicious payloads
- Restrict network access to Crafty Controller management interfaces using firewall rules
- Implement Content Security Policy headers to prevent inline script execution
- Consider temporarily disabling MOTD display features until a patch is applied
Patch Information
Organizations should monitor the Crafty Controller GitLab repository for security updates addressing this vulnerability. When patches become available, test and deploy them promptly. Ensure all instances of Crafty Controller are updated to the patched version.
SentinelOne Singularity platform customers benefit from behavioral detection capabilities that can identify and prevent malicious script execution regardless of the delivery mechanism.
Workarounds
- Deploy a reverse proxy with XSS filtering capabilities in front of Crafty Controller
- Implement strict Content Security Policy headers that disallow inline scripts: script-src 'self'
- Restrict access to Crafty Controller to trusted networks only using firewall rules
- Manually sanitize or disable MOTD display features if supported by configuration
# Example nginx reverse proxy configuration with security headers
# Add to your nginx server block for Crafty Controller
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
