Skip to content

Require permission level for chase command#14034

Open
Mickey42302 wants to merge 3 commits into
PaperMC:mainfrom
Mickey42302:chase
Open

Require permission level for chase command#14034
Mickey42302 wants to merge 3 commits into
PaperMC:mainfrom
Mickey42302:chase

Conversation

@Mickey42302

Copy link
Copy Markdown

In the base game for Java Edition, there is a security flaw with the "/chase" command. By default, it is available to all players, even if they don't have operator privileges. This allows any player with malicious intentions to abuse the tool. I reported this to Mojang, but they refused to address the issue (https://imgur.com/a/chase-exploit-jXYUTD0).

This patch changes the required permission level to 3. This ensures that the command is restricted to operators, which significantly reduces the risk of it being abused. However, the "minecraft.command.chase" permission node can still be used if a server owner wishes to customise who has access to "/chase".

@Mickey42302 Mickey42302 requested a review from a team as a code owner July 5, 2026 15:21
@github-project-automation github-project-automation Bot moved this to Awaiting review in Paper PR Queue Jul 5, 2026
@electronicboy

electronicboy commented Jul 5, 2026

Copy link
Copy Markdown
Member

This should be a file patch, but it's worth noting this command is only enabled on servers which doubly opt into this;

This is generally a debug tool, debug tools aren't expected to be enabled in environments where this is a concern; I'm not really sure if this is ours to fix

@Owen1212055

Copy link
Copy Markdown
Member

Yeah this is a debug tool, which should not be enabled on production.

@Doc94

Doc94 commented Jul 5, 2026

Copy link
Copy Markdown
Member

And even if its enabled (what require the owner of the server to make that) you can still block the command with permission minecraft.command.chase like any other vanilla commmand (ex: LuckPerms)

@Mickey42302

Mickey42302 commented Jul 5, 2026

Copy link
Copy Markdown
Author

From what I've seen, when Mojang closes an issue as "Won't Fix", that's a sign that they're probably not going to fix it for a long time. By fixing the security flaw using a patch, you are preventing people from creating a vulnerability in their server. Even if "/chase" is a debug tool, it should still have a proper security configuration.

@Lulu13022002 Lulu13022002 changed the title Fix "/chase" exploit. Require permission level for chase command Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Awaiting review

Development

Successfully merging this pull request may close these issues.

4 participants