Account Takeover in modrinth/labrinth


Reported on

Oct 15th 2022


A malicious actor can setup a website on with the domain, after that, they can change the subdomain to something containing modrinth, This will allow a open redirect on, allowing stealing the github token which allows full account takeover.

Proof of Concept


This vulnerability is capable of full account takeover, the user can reset the token of their account but the attacker will have access to the users account until then.

We are processing your report and will contact the modrinth/labrinth team within 24 hours. a year ago
modrinth/labrinth maintainer has acknowledged this report a year ago
Emma Alexia validated this vulnerability a year ago
ZeoNight has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Emma Alexia marked this as fixed in Not applicable with commit 07edb9 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Emma Alexia published this vulnerability a year ago
to join this conversation