GHSA-f8mx-cwfh-7hr2: 
C# vulnerability analysis and mitigation

A security vulnerability (GHSA-f8mx-cwfh-7hr2) was discovered in TShock versions 5.2.1 and earlier, affecting the connection handling and chat systems. The vulnerability was reported by @ohayo and initially discovered by a Discord user. The issue allows clients to connect to the server without completing the proper connection handshake, enabling them to bypass ban checks and interact with the server in unauthorized ways (GitHub Advisory).

The vulnerability stems from TShock's override of Terraria's vanilla systems for chat and connection handling. While Terraria's standard server checks for bans upon receiving the ConnectRequest packet, TShock performs this check during the Request World Data packet. This implementation difference allows malicious clients to bypass ban checks by simply not sending the Request World Data packet. The vulnerability has been assigned a CVSS v4.0 score of 6.9 (Moderate) with a vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N (GitHub Advisory).

Exploiting this vulnerability allows malicious actors to bypass server bans, occupy player slots, send chat messages, and receive server data without being fully connected. Additionally, while other clients cannot see their join/leave notifications, these malicious users can still appear in the player list and potentially engage in chat spam or packet monitoring of other players (GitHub Advisory).

The vulnerability has been patched in TShock version 5.2.2. The fix includes implementing proper handshake validation and ensuring that ban checks are performed at the appropriate connection stage (GitHub Advisory).