Exploit Patches

In recent Sponge builds (SpongeForge 974+), SpongeForge and SpongeVanilla patch a few client-server exploits. Whenever the implementations detect a user performing an exploit, they are kicked from the server with a message explaining why they were kicked. If enabled, a log message is also sent to the console. More exploit patches may be added in the future.


If you know about an exploit we currently don’t cover, please let us know! You can contact us via exploits@spongepowered.org or PM a staff member on the forums. Please DO NOT post exploits publicly on IRC, our GitHub repos or the forums, if they’re still unknown. This prevents abuse until we get the issues fixed.

Exploits Patched implemented in Sponge

  1. Sign command exploit where a client could run a command such as «op»

  2. Client could force the server to make the user respawn invisible

  3. Client could set an itemstack’s display name and cause it to exceed the character limit

Note that these patches can’t be disabled, only the logging is configurable as of now.


The invisibility exploit patch has been disabled in recent Sponge builds due to the detection method falsely accusing users of performing the exploit.

Log Message Control

Log messages for the exploit patches can be individually controlled in the Sponge config file. Please read the global.conf page for more information. Here’s a short overview of available options:

# Log when server receives exploited packet with itemstack name exceeding string limit.

# Log when player attempts to respawn invisible to surrounding players.

# Log when server receives exploited packet to update a sign containing commands from player with no permission.


Log messages can also be controlled via a command, instead of directly editing the config file. For example, to enable the sign command exploit logging, type sponge config -g logging.exploit-sign-command-updates true in the console (You can also type the commands in-game if you are an op).