Please read for full information and to keep up to date. This article is constantly updating. Last Update: Dec 10th 2021 14:31 UTC
PSA: There is a critical security exploit that affects Minecraft: Java Edition, and can make you vulnerable to undesirable consequences. If you have the game running, please shut down all running instances of the game and Launcher and restart - your Launcher will automatically download the fix. Until the issues has been fixed, we advise you to not play on any versions of Minecraft earlier than 1.12 right now.
We've now released patches for all affected clients. If you have any running game instances, close them, close the Launcher and restart again (yes, even if you did it before - do it again now).
If you use the vanilla launcher, restart it to apply the fix. This fix ONLY works for vanilla launchers and vanilla Minecraft installations. It does not work for modded clients or launchers. This fix applies for 1.6.3 onward, which is for all affected versions
Update to 1.18.1.
Forge has released a fix for 1.12 and newer. Download the installers from https://files.minecraftforge.net
Fabric has indicated that 0.12.9+ versions have been patched with a fix.
CurseForge indicates they are partly fixed if you are not using the debug logging. However, enabling debug logging will expose you to the exploit.
Same list as above applies.
Spigot server owners can refer to https://www.spigotmc.org/threads/spigot-security-releases-—-1-8-8–1-18.537204/
Sponge has pushed a partial fix to their latest 1.12.2 version, however it is not a complete fix.
Paper has pushed out fixed versions. https://papermc.io/downloads
Official game client
If you play Minecraft: Java Edition, but aren’t hosting your own server, you will need to take the following steps: Close all running instances of the game and the Minecraft Launcher. Start the Launcher again – the patched version will download automatically.
Modified clients and third-party launchers
Modified clients and third-party launchers might not be automatically updated. In these cases, we recommend following the advice of your third-party provider. If the third-party provider has not patched the vulnerability, or has not stated it is safe to play, you should assume the vulnerability is not fixed and you are at risk by playing.
If you’re hosting your own Minecraft: Java Edition server, you'll need to take different steps depending on which version you’re using, in order to secure it.
1.18: Upgrade to 1.18.1, if possible. If not, use the same approach as for 1.17.x:
1.17: Add the following JVM arguments to your startup command line:
1.12-1.16.5: Download this file to the working directory where your server runs. Then add the following JVM arguments to your startup command line:
1.7-1.11.2: Download this file to the working directory where your server runs. Then add the following JVM arguments to your startup command line:
Versions below 1.7 are not affected