GuidesSupportGet a Server
Minecraft

How to Protect Your Server from the BleedingPipe Vulnerability

Learn about the BleedingPipe exploit affecting Forge mods and how to protect your server.

BleedingPipe is a vulnerability discovered in 2023 affecting many popular Forge mods. It allows attackers to execute arbitrary code on both servers and clients through unsafe Java deserialization.

What Is BleedingPipe?

BleedingPipe exploits a flaw in how some Forge mods handle network packets. Mods using Java's ObjectInputStream without proper filtering can be tricked into executing malicious code when receiving specially crafted packets.

Am I Affected?

You may be affected if you run a Forge modded server (any Minecraft version) with mods that use unsafe deserialization. Known affected mods have included:

  • AetherCraft
  • Immersive Armors
  • ttCore
  • Gadomancy
  • And many others

The list changes as mods get patched. Check the MMPA BleedingPipe advisory for the current list.

Protecting Your Server

Update all mods

The most important step. Update every mod in your /mods/ folder to the latest version via Files on the XGamingServer panel. Most mod authors have patched this vulnerability.

Install BleedingPipe fix mod

Download and install the BleedingPipe fix mod from the MMPA (Minecraft Malware Prevention Alliance):

Upload it to your /mods/ folder. This mod patches the deserialization vulnerability at a global level, protecting against both known and unknown vulnerable mods.

Remove unused mods

Reduce your attack surface by removing mods you don't actually need. Fewer mods = fewer potential vulnerabilities.

Restart the server

Restart from Console to apply the fix.

Checking for Compromise

If your server was running vulnerable mods on a public-facing server:

Check for suspicious files

Look in your server directory via Files for:

  • Unknown .jar files outside the /mods/ folder
  • Suspicious scripts or executables
  • Modified server files with recent timestamps you don't recognize

Check server logs

Review server logs for:

  • Unusual error messages about deserialization
  • Connection attempts from unknown sources
  • Unexpected plugin or mod loading messages

Scan uploaded JARs

Use a malware scanner on any JAR files you're unsure about. The MMPA provides tools for checking Minecraft JARs.

Prevention Best Practices

  • Only download mods from trusted sources — CurseForge, Modrinth, official GitHub repos
  • Keep mods updated — Security patches are released frequently
  • Don't run unnecessary mods — Each mod is a potential attack vector
  • Monitor your server logs — Watch for unusual activity
  • Back up regularly — So you can restore if compromised

⚠️ Warning: BleedingPipe can affect both the server AND connected clients. Inform your players to update their client-side mods as well.

📝 Note: This vulnerability only affects Forge servers with affected mods. Vanilla, Paper, Spigot, and Fabric servers are not affected by BleedingPipe.

See also: Installing Mods | Uninstall Mods | Find Server Logs

If you need help, join our Discord.

How is this guide?

40% Off — Limited TimeGet your Minecraft server todayInstant setup, DDoS protection, and 24/7 support included.
Get a Server

Beginner's Guide to Minecraft Server Hosting

Everything you need to know to get started with your Minecraft server — from first login to inviting friends.

How to Set Up a BungeeCord Network

Learn how to set up a BungeeCord proxy to connect multiple Minecraft servers into a network.

On this page

What Is BleedingPipe?
Am I Affected?
Protecting Your Server
Update all mods
Install BleedingPipe fix mod
Remove unused mods
Restart the server
Checking for Compromise
Check for suspicious files
Check server logs
Scan uploaded JARs
Prevention Best Practices