CVE-2025-54120 Overview
CVE-2025-54120 is a critical information disclosure vulnerability affecting PCL (Plain Craft Launcher) Community Edition, a popular Minecraft launcher. The vulnerability involves the inadvertent logging of login credentials to local log files during the third-party authentication process. While the log files are not automatically uploaded or shared, users who manually distribute these logs risk exposing their authentication credentials to unauthorized parties.
Critical Impact
Third-party login credentials are recorded in plaintext within local log files, creating a significant risk of credential exposure if users share log files for debugging or support purposes.
Affected Products
- PCL (Plain Craft Launcher) Community Edition versions 2.12.0-beta.5 through 2.12.0-beta.9
Discovery Timeline
- 2025-07-23 - CVE-2025-54120 published to NVD
- 2025-07-25 - Last updated in NVD database
Technical Details for CVE-2025-54120
Vulnerability Analysis
This vulnerability is classified under CWE-532 (Insertion of Sensitive Information into Log File). The flaw exists in the authentication module of the Plain Craft Launcher, specifically within the third-party login handling code. During the login process, credentials used for authentication are inadvertently written to the application's local log file. This represents a fundamental secure coding violation where sensitive data handling fails to properly sanitize or exclude credentials from diagnostic logging.
The attack requires local access to the log files or social engineering to convince users to share their logs. While the logs are not automatically transmitted, users frequently share log files when seeking technical support or reporting bugs, creating an indirect but dangerous attack surface for credential theft.
Root Cause
The root cause stems from improper handling of authentication request parameters in the logging subsystem. The ModLaunch.vb module responsible for authentication logging failed to filter or redact sensitive credential data before writing diagnostic information to log files. This allowed plaintext credentials from third-party login requests to be persisted locally.
Attack Vector
The attack vector is local with user interaction required. An attacker would need to either:
- Gain local access to the victim's system to read log files directly
- Socially engineer the victim into sharing their log files (common in gaming community support scenarios)
- Intercept log files if the user uploads them to public platforms for troubleshooting
The security patch modifies the error handling to properly sanitize logged information while adding enhanced error details without exposing credentials:
ProfileLog("验证登录失败:" & AllMessage)
If (AllMessage.Contains("超时") OrElse AllMessage.Contains("imeout")) AndAlso Not AllMessage.Contains("403") Then
ProfileLog("已触发超时登录失败")
- Throw New Exception("$登录失败:连接登录服务器超时。" & vbCrLf & "请检查你的网络状况是否良好,或尝试使用 VPN!")
+ Throw New Exception("$登录失败:连接登录服务器超时。" & vbCrLf & "请检查你的网络状况是否良好,或尝试使用 VPN!" & vbCrLf & vbCrLf & "详细信息:" & ex.ToString())
End If
End Try
Data.Progress = 0.25
Source: GitHub Commit Changes
Detection Methods for CVE-2025-54120
Indicators of Compromise
- Presence of authentication credentials or tokens in PCL log files located in the application's data directory
- Log files containing third-party login request/response data with visible usernames or password hashes
- Unusual access patterns to PCL log file directories
- Evidence of log files being uploaded to external services or shared via messaging platforms
Detection Strategies
- Implement file integrity monitoring on PCL log directories to detect unauthorized access
- Deploy DLP (Data Loss Prevention) rules to flag log files containing potential credential patterns before transmission
- Monitor for PCL versions within the vulnerable range (2.12.0-beta.5 to 2.12.0-beta.9) in software inventory systems
- Configure endpoint detection to alert on log file access by non-standard processes
Monitoring Recommendations
- Enable audit logging for file access events on directories containing PCL application logs
- Monitor outbound file transfers for patterns matching log file naming conventions
- Review user support channels for instances where vulnerable users may have shared logs publicly
- Implement automated scanning of shared files in community support forums for credential exposure
How to Mitigate CVE-2025-54120
Immediate Actions Required
- Upgrade PCL Community Edition to version 2.12.0-beta.10 or later immediately
- Locate and securely delete existing log files from vulnerable versions that may contain credentials
- Rotate any third-party authentication credentials that may have been used with affected versions
- Instruct users to never share log files from vulnerable versions and to change passwords if they have done so
- Review any previously shared log files and assess potential credential exposure
Patch Information
The vulnerability is fixed in PCL Community Edition version 2.12.0-beta.10. The patch removes the erroneous credential logging while improving error handling with sanitized diagnostic information. Users should update immediately via the official PCL Community GitHub repository. The specific fix can be reviewed in the GitHub commit.
Workarounds
- If immediate upgrade is not possible, manually review and delete log files after each authentication attempt
- Configure the application to use minimal logging levels during authentication operations
- Educate users about the risks of sharing log files from this application version
- Consider temporarily using alternative authentication methods until the patch is applied
# Remove potentially sensitive log files from PCL installation
# Adjust path as needed for your installation
find ~/.pcl2 -name "*.log" -type f -mtime -30 -exec rm -f {} \;
# Verify installed version and update status
# Check application version against patched version 2.12.0-beta.10
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
