GHSA-hvm9-wc8j-mgrc: 
C# vulnerability analysis and mitigation

A high-severity security vulnerability (GHSA-hvm9-wc8j-mgrc) was discovered in TShock, affecting versions 4.3.21 through 5.2.1. The vulnerability was disclosed on December 18, 2024, and involves a security escalation exploit in the way OTAPI manages client connections, potentially allowing unauthorized access to authenticated user sessions (GitHub Advisory).

The vulnerability stems from an issue where stale UUIDs remain on RemoteClient instances after a player disconnects. The vulnerability has a CVSS v4 score of 8.9 (High), with network attack vector, low attack complexity, and no privileges required. The technical assessment indicates high impact on confidentiality, integrity, and availability of the vulnerable system (GitHub Advisory).

When exploited, this vulnerability allows an attacker to assume the login state of a previously connected player. This occurs under specific conditions: when UUID login is enabled, after an authenticated player disconnects, and when a subsequent player connects with a modified client that doesn't send the ClientUUID#68 packet during connection (GitHub Advisory).

The vulnerability has been patched in TShock version 5.2.1. As a workaround, administrators can implement a RemoteClient reset event handler in their plugin that nullifies the ClientUUID during the reset process. A more comprehensive fix is planned for implementation in OTAPI itself (GitHub Advisory, TShock Commit).