Exploit Database
Kryptonite's Exploit Database checks for and patches known vulnerabilities in Minecraft server software by modifying configuration values to correctly mitigate risks.
The below table lists known Minecraft vulnerabilities that can be patched with Kryptonite.
Required Server Software
Some exploits are only patchable with specific server software. For example, EDB-1 is only patchable with Paper or one of it's forks (e.g. Purpur or Pufferfish). In the table below, you'll see a Required Server Software column that contains something along the lines of >= Software. This means that it requires the software listed, or one of it's forks.
Below is a compatibility table for guidance. We highly recommend using Paper or one of it's forks. You'll get the most number of patches (and they tend to be faster!)
Required Software - Patchable on: | CraftBukkit | Spigot | Paper | Purpur | Pufferfish |
|---|---|---|---|---|---|
>= CraftBukkit | ✅ | ✅ | ✅ | ✅ | ✅ |
>= Spigot | ❌ | ✅ | ✅ | ✅ | ✅ |
>= Paper | ❌ | ❌ | ✅ | ✅ | ✅ |
>= Purpur | ❌ | ❌ | ❌ | ✅ | ❌ |
>= Pufferfish | ❌ | ❌ | ❌ | ❌ | ✅ |
Exploits
EDB-ID | Title | Fix Type | Description | Required Server Software | Patchable with Kryptonite |
|---|---|---|---|---|---|
1 | Armour stand lag machines | CF | Armor stands can be used to create lag machines. This is done by placing huge amounts of armor stands and forcing them to move via water, pistons or other means. | >= Paper | ✅ Since 1.1.0 |
2 | Book Exploits | CF | Books are a common target for exploitation techniques, and have been used for all sorts of nasty things in the past including duplication exploits, crash exploits, and forcing servers to run out of memory while producing massive amounts of chunk data. | >= Paper | ✅ Since 1.1.0 |
3 | Collision Lag Machines | CF | This exploit is similar to the armor stand one, but instead of armor stands, it uses entities that can be pushed by other entities. | >= Paper | ✅ Since 1.1.0 |
4 | Command suggestion packet spam | CF | Some commands on the server might have a lot of logic involved with their command suggestions. This can be exploited by sending a lot of packets that request the server to send suggestions for the command. | >= Paper | ✅ Since 1.1.0 |
5 | Command spam | CF | While even spigot will protect you from this exploit, there's a slight oversight that will enable a single command to be usable to perform this one. | >= Spigot | ✅ Since 1.1.0 |
6 | Join spam | CF | Sometimes shear quantity of players joining the server can cause the server to lag out. This is especially true for bot attacks and moments after server restart. | >= Paper | ✅ Since 1.1.0 |
7 | Neighbor update lag machines | CF | Limiting the amount of consecutive neighbor updates before skipping additional ones. | >= CraftBukkit | ✅ Since 1.1.0 |
8 | Projectile suspension | CF | Projectiles can be suspended in bubble columns indefinitely. They can also be transported into unloaded chunks in mass. If anyone loads the chunk with amassed projectiles, server can crash due to loading too many things at once. | >= Paper | ✅ Since 1.1.0 |
9 | Recipe book spam | CF | Malicious players can use auto clicker or a mod to switch between recipe book recipes extremely quickly. This is pretty expensive operation for the server and can cause huge slowdowns. | >= Paper | ✅ Since 1.1.0 |
10 | Treasure search | CF | When new treasure map is generated, usually via cartographer villager or opening a chest with treasure map in it, the server searches for the treasure that map should lead to. This search is done in a way that in most cases causes a lot of chunks loading and possibly generating them. This search can halt the server for long enough that watchdog process kills it. It can also be triggered by feeding dolphins fish. | >= Paper | ✅ Since 1.1.0 |
11 | Nether roof access | SF | Prevent players from accessing the nether roof | >= Bukkit | ❌ Planned |
12 | Xray | CF | Players use software to view ores through blocks. | >= Paper | ❌ Planned |
EDB-1 to EDB-10 data from YouHaveTrouble's Minecraft Exploits guide.
Fix Types
Type | Description |
|---|---|
CF | Configuration Fixes apply changes to the server's configuration to prevent the exploits from occurring. These fixes cannot be disabled by Kryptonite, but can be turned off by resetting your configuration files. Please note, if you are using KOS you will need to re-run it if you reset your configuration files. Deleting Kryptonite after running EDB will not stop these patches from being applied. |
SF | Software Fixes apply restrictions set by the Kryptonite software and can be enabled/disabled at any time. Deleting Kryptonite after running EDB will stop these patches from working. |