- Java 16
- Paper server build #397
- Minecraft 1.17.1
In Java 16 only deserialization attacks work by default using log4j. To exploit this there needs to be a vulnerable serializable class in the classpath. In the current state of this repository the server will only send a serialized string object. If you found a vulnerable serializable class feel free to create a pull request.