Name of the Vulnerable Software and Affected Versions Minecraft: Bedrock Edition versions prior to 4.23.1 Minecraft: Bedrock Edition versions prior to 5.3.1

Description The issue arises from the server's use of ECDH to calculate a shared secret for symmetric encryption key used to encrypt network packets after logging in. ECDH requires both keys to belong to the same elliptic curve, which in Minecraft: Bedrock Edition is secp384r1. Using a different curve, such as secp256r1, or a non-EC key like RSA or DH, would lead to a crash during ECDH key derivation due to the client-provided key belonging to a different curve than the server's key. This could happen as long as the SHA384 hashing algorithm was used for the JWT signatures.

Recommendations For versions prior to 4.23.1, update to version 4.23.1 or later. For versions prior to 5.3.1, update to version 5.3.1 or later. As a temporary workaround, consider using a plugin to handle LoginPacket and check that all of the identityPublicKeys provided in the JWT bodies actually belong to secp384r1 by verifying that openssl pkey get details($key)["ec"]["curve name"] is set and equal to secp384r1.