Expected Behavior
Usernames accepted during offline-mode login should be validated against the vanilla character set (alphanumerics and underscore, length 1–16) to prevent log injection and identity confusion.
Actual Behavior
ServerLoginPacket.java (line 84–88) only checks for emptiness:
username = ProtocolUtils.readString(buf, 16);
if (username.isEmpty()) {
throw EMPTY_USERNAME;
}
readString(buf, 16) permits any UTF-8 content up to 16 code units. In offline mode, this name becomes the profile name and the offline UUID seed, and is forwarded to the backend as-is. Spaces, control characters (\n, \r), section signs (§), and Unicode homoglyphs are all accepted.
This only affects offline-mode or forwarding=none/legacy setups. Online-mode names come from Mojang and are already safe, and modern forwarding wraps the name in an HMAC.
Steps to Reproduce
- Run Velocity with
online-mode=false (or forwarding-mode=none).
- Connect with a modified client using a username containing e.g. newlines,
§, or spaces.
- The proxy accepts the login and forwards the name to the backend.
Plugin List
N/A — this is in the core proxy login path.
Velocity Version
Checked at dev/3.0.0@a7581821 (MC 26.2 era).
Additional Information
HandshakeSessionHandler.cleanVhost (line 192–207) already strips \0 from the handshake hostname to prevent BungeeCord-style injection, so there's precedent for input sanitization in the login path.
A configurable filter (defaulting to [A-Za-z0-9_]{1,16}) would close this gap for standard offline setups while allowing proxies that intentionally support exotic names to opt out. At a minimum, control characters should be stripped before logging.
Expected Behavior
Usernames accepted during offline-mode login should be validated against the vanilla character set (alphanumerics and underscore, length 1–16) to prevent log injection and identity confusion.
Actual Behavior
ServerLoginPacket.java(line 84–88) only checks for emptiness:readString(buf, 16)permits any UTF-8 content up to 16 code units. In offline mode, this name becomes the profile name and the offline UUID seed, and is forwarded to the backend as-is. Spaces, control characters (\n,\r), section signs (§), and Unicode homoglyphs are all accepted.This only affects offline-mode or
forwarding=none/legacysetups. Online-mode names come from Mojang and are already safe, and modern forwarding wraps the name in an HMAC.Steps to Reproduce
online-mode=false(orforwarding-mode=none).§, or spaces.Plugin List
N/A — this is in the core proxy login path.
Velocity Version
Checked at dev/3.0.0@a7581821 (MC 26.2 era).
Additional Information
HandshakeSessionHandler.cleanVhost(line 192–207) already strips\0from the handshake hostname to prevent BungeeCord-style injection, so there's precedent for input sanitization in the login path.A configurable filter (defaulting to
[A-Za-z0-9_]{1,16}) would close this gap for standard offline setups while allowing proxies that intentionally support exotic names to opt out. At a minimum, control characters should be stripped before logging.