Mugi-Sec

**Name of the Vulnerable Software and Affected Versions** Geyser versions prior to 2.9.3 **Description** A server-side request forgery (SSRF) exists in the handling of Bedrock player head texture data. By supplying a crafted Base64-encoded skin texture URL via the '/give' command, an attacker can cause the Minecraft server to issue arbitrary HTTP GET requests to internal or attacker-controlled endpoints. This occurs because the URL contained in the `textures.SKIN.url` field is not sufficiently validated when Geyser processes the Base64-encoded JSON value for custom player heads using the `minecraft:profile` NBT structure. This blind SSRF can be used for internal network probing, cloud metadata access attempts, and IP address disclosure of the Minecraft server. **Recommendations** Update to version 2.9.3.