CVE-2026-42188— Geyser: Server-Side Request Forgery (SSRF) via Player Head Texture URL

Geyser: Server-Side Request Forgery (SSRF) via Player Head Texture URL

Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition. Prior to 2.9.3, a server-side request forgery (SSRF) vulnerability exists in Geyser’s handling of Bedrock player head texture data. By supplying a crafted Base64-encoded skin texture URL via the /give command, an attacker can cause the Minecraft server to issue arbitrary HTTP GET requests to attacker-controlled or internal endpoints. This occurs server-side, without proper URL validation, and can be triggered by a Bedrock client. This vulnerability is fixed in 2.9.3.

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

服务端请求伪造(SSRF)

Geyser 代码问题漏洞

Geyser是GeyserMC开源的一个跨平台游戏版本桥接代理工具。 Geyser 2.9.3之前版本存在代码问题漏洞，该漏洞源于处理基岩玩家头部纹理数据时存在服务端请求伪造，可能导致攻击者通过/give命令提供特制的Base64编码皮肤纹理URL，使Minecraft服务器向攻击者控制的或内部端点发出任意HTTP GET请求。

N/A

N/A