Improper Authorization

TShock is vulnerable to Improper Authorization. The vulnerability is due to incomplete connection handling due to clients being able to exist on the server, occupy player slots, chat, and receive data without fully completing the connection handshake, allowing banned users to exploit server...

GHSA-F8MX-CWFH-7HR2 TShock allows chat while not fully connected, possible ban evasion

This issue was reported to TShock by @ohayo, but was found by the Discord user by the name of sofurry.com. Please note that this user does not own this domain on the internet, just the discord handle. TShock overrides certain Terraria vanilla systems, including chat, and the connection handling,...

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization allowing a malicious client to bypass server restrictions. An attacker can join a server despite being banned by omitting a specific packet. Additionally, by not sending a Request World Data packet, they can stay...

TShock allows chat while not fully connected, possible ban evasion

This issue was reported to TShock by @ohayo, but was found by the Discord user by the name of sofurry.com. Please note that this user does not own this domain on the internet, just the discord handle. TShock overrides certain Terraria vanilla systems, including chat, and the connection handling,...

PT-2025-5636 · Tshock · Tshock

Name of the Vulnerable Software and Affected Versions: TShock affected versions not specified Description: This issue allows malicious clients to connect to a server without completing the connection handshake, occupying a player slot, and receiving data from the server, even if they are banned...

Authentication Bypass by Primary Weakness

Overview Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness due to the management of client connections by OTAPI, which allows stale UUIDs to remain on RemoteClient instances after a player disconnects. An attacker can assume the login state of a...

TShock Security Escalation Exploit

Impact An issue with the way OTAPI manages client connections results in stale UUIDs remaining on RemoteClient instances after a player disconnects. Because of this, if the following conditions are met a player may assume the login state of a previously connected player: 1. The server has UUID...

GHSA-HVM9-WC8J-MGRC TShock Security Escalation Exploit

Impact An issue with the way OTAPI manages client connections results in stale UUIDs remaining on RemoteClient instances after a player disconnects. Because of this, if the following conditions are met a player may assume the login state of a previously connected player: 1. The server has UUID...

PT-2024-40331 · Tshock +1 · Tshock +1

Name of the Vulnerable Software and Affected Versions: TShock versions prior to 5.2.1 OTAPI affected versions not specified Description: An issue with OTAPI's management of client connections leads to stale UUIDs remaining on RemoteClient instances after a player disconnects. This can cause a...