TL;DR: UPDATE YOUR SERVER IF YOU HAVE INTEGRATED SCRIPTING INSTALLED

I found a remote code execution vulnerability in the Minecraft mod Integrated Scripting. If you are running Integrated Scripting, and the version is:

<=1.21.1-1.0.16
<=1.21.4-1.0.9-224
<=1.20.1-1.0.11
<=1.19.2.-1.0.9

your server is vulnerable to being hacked by any player who is able to craft some items from Integrated Scripting. If you have a public or semi-public server, you should update the mod to a newer version.

Several popular modpacks contain Integrated Scripting. If you are running:

AllTheMods10 <=2.36
Craftoria <=1.14.0
FTB Presents Direwolf20 1.21 <=1.9.0
(and many more)

your server is also vulnerable, and you should update.

Technical details

Versions of Integrated Scripting released before February 24th, 2025 are vulnerable to a critical remote code execution vulnerability. Leveraging Java reflection it’s possible to escape the GraalJS sandbox and call arbitrary methods on arbitrary Java objects. The initial vulnerability disclosure, with more details, is available as GHSA-2v5x-4823-hq77. The vulnerability has also been assigned CVE-2025-27107.