Earlier today we became aware of a potential RCE in modpacks containing a combination of BiblioCraft and CoreTweaks. Credit to Exopteron for this.
We have tested this internally and found versions 1.8.2 (MC 1.7.10) through to 2.4.5 (MC 1.12.2) are vulnerable.
It boils down to BiblioCraft not sanitizing some strings used when creating the file name, allowing you to write to other directories, combined with the (un)lucky co-incidence of the format Biblio's books are stored, matching the format of the files used by CoreTweaks.
This means if you do everything correctly, you can write code that CoreTweaks will run.
There is a lot of "if"s and "but"s in making it happen, including causing a server to exit abnormally so a shutdown hook doesn't change the file.
Read the full description from the reporter at Exopteron/BiblioRCE: BiblioCraft File Manipulation/Remote Code Execution exploit affecting BiblioCraft versions prior to v2.4.6 (github.com)
While this person was also kind enough to assist the author in patching this prior to releasing, due to the nature of Minecraft modpacks, there are a vast quantity of abandoned, but still played modpacks, with vulnerable versions of this mod.
As per our recent record, we jumped into action and created a java agent, much like what we did for CVE-2021-44228/LOG4SHELL.
This can be downloaded here, we will place the source on GitHub shortly and this post will be updated.
To use this, add this to your start arguments (while replacing the filename with the name you saved the above to)
The basic gist of what this does, is sanitize the file save path, as a way to mitigate at runtime, so you can never write the file outside of the expected directory.
We strongly recommend updating mods to their latest version when possible, however, if you run a hosting company, or similar, and are in a situation you'd just like to ensure your end users are safe, this should achieve that.