Name of the Vulnerable Software and Affected Versions TShock versions prior to 5.2.1 OTAPI (affected versions not specified)

Description An issue with OTAPI's management of client connections leads to stale UUIDs remaining on RemoteClient instances after a player disconnects. This can cause a subsequent player to assume the login state of a previously connected player under certain conditions, including when the server has UUID login enabled, an authenticated player disconnects, and a new player connects with a modified client that does not send the ClientUUID#68 packet. The server must also assign the same RemoteClient object to the new player.

Recommendations For TShock versions prior to 5.2.1, update to TShock 5.2.1 to resolve the issue. For OTAPI, consider implementing a RemoteClient reset event handler in a plugin to reset the ClientUUID to null when a RemoteClient is reset, until a more robust fix is made to OTAPI itself.