CurseForge is mostly safe. The service scans and moderates all mods uploaded to the platform. However, a couple of incidents with Minecraft mods either containing malware (Fractureiser) or security vulnerabilities that allowed for remote code execution (BleedingPipe) show it still pays to be cautious.

The company and active mod community dealt with these threats pretty fast. That said, you need to vet your mods carefully. Read user reviews, stick to those from trusted creators, ensure they’re in the right format (not a sneaky .exe that installs malware), and scan files with an antivirus to stay safe.

Other than that, CurseForge collects a fair bit of personal data for personalized ads and to improve its services. Below, we’ll go deeper into how to check mods before installing them and show you how to disable data collection in the app.

Is CurseForge safe?

CurseForge is a trusted mod platform, but it has its fair share of issues. Here are some risks you should know about:

• Potentially malicious mods: CurseForge verifies mods uploaded to its site, but some malware can still evade scans. Sticking to mods from reputable creators can reduce the risk, but it’s not guaranteed.
• Compromised mods: Even trusted uploaders can have their accounts compromised, and attackers can push malware-infected updates (e.g., the Fractureiser infostealer malware that affected Minecraft players in 2023).
• Security vulnerabilities in old mods: Like any software, mods (especially older and unmaintained ones) may have unpatched security flaws that can be exploited. One example is BleedingPipe, a vulnerability that allowed attackers to remotely execute code on modded Minecraft clients and servers.
• Modified dependency files: A mod sometimes requires helper files to function (such as the Fabric API for some Minecraft mods). If someone swaps one of those files for a bad version, or a third-party launcher is required, it could run unsafe code during installation or launch, even if the actual mod is clean.
• Third-party ads and external sites: Ads may run malicious scripts, exploit security holes, or redirect you to third-party downloads that CurseForge has no control over. This is not a CurseForge-exclusive problem; malvertising can affect any service.

CurseForge data collection practices

Twitch sold off CurseForge to Overwolf in 2020, so any data the site and app collect is subject to Overwolf’s privacy policy. We’ve gone through it to see whether CurseForge is safe to use from a privacy standpoint.

CurseForge website

CurseForge collects your typical non-personal data for technical purposes, though it also collects some personal data. Fortunately, CurseForge does not collect biometrics, health records, political opinions, and similar categories of sensitive data.

Here’s a quick rundown:

• Non-personal data: Browser type, ISP, operating system type and version, mobile network info, device settings (e.g., language), and so on.
• Technical identifiers and activity data: Your IP address, cookie data, and how you interact with the website, such as which pages you’ve viewed, clicks, and timestamps. You can reject non-essential cookies through the consent notice.
• Identity and contact information: Voluntarily provided info such as full name, email, phone number, social accounts (Google, Facebook, Discord, etc.), and game interests. That info is used to sign up, contact customer support, do business with the company, and for legal purposes.
• General location data: Your device’s IP address reveals your approximate location. CurseForge may personalize ads based on that and other details, such as your ZIP code. You can turn off ad personalization to get more generic ads, though this doesn’t disable them completely.

CurseForge may share this data with the Overwolf Group, their partners (such as cloud service or CRM providers), law enforcement, or any company that acquires the service. You can request data deletion, depending on your jurisdiction, though CurseForge may refuse if it needs the data for legal and tax reasons, fraud prevention, or similar uses.

CurseForge launcher

Most users who haven’t jumped ship to other launchers recommend using the “Download Standalone” option to get a lightweight version of CurseForge without Overwolf bloat.

During installation (or by going to Settings > Privacy > Ads Personalization & Data), you have the option of disabling ad personalization. Most of it was disabled by default on my end (likely the GDPR at work), aside from “legitimate interest” options under Vendors.

Unfortunately, clicking “Reject All Purposes” doesn’t disable those, so I went through the grueling task of toggling everything off manually.

Under Settings > Privacy, the app also lets you disable showing your activity on Discord, app recommendations, diagnostics data (system performance while using CurseForge, crash reports, and the like), and analytics about how you use the app and what games you play.

With all that out of the way, the ads I got in CurseForge weren’t too egregious: some Temu clothes, random freemium games, the odd local delivery app, and ads for games that are supported on CurseForge. You can turn these off with Premium, but it’s not necessary.

How to tell if a mod on CurseForge is safe

A quick check can catch most risky downloads before you install them. Look at who made the mod, user downloads and reviews, and whether the file matches what the game expects:

• It’s from a popular creator: Creators with a long history and several well-known mods have more public feedback, making unusual behavior easier for players to spot.
• It has plenty of downloads: A large download count doesn’t guarantee a mod on CurseForge is safe, but it gives more people a chance to report problems if something looks wrong.
• Comments don’t mention security issues: Read recent comments before downloading. Players usually point out suspicious behavior, fake updates, or files that trigger warnings.
• The file is in the right format: Minecraft mods usually come as .jar files, while Sims 4 mods use .package or .ts4script files. Avoid mods in .exe format, as they may run malicious commands.
• Your antivirus doesn’t detect any threats: Scan the file before opening it. Pay extra attention if your antivirus flags the download or blocks part of it.
• It doesn’t request extra permissions: Most mods work after installation alone. Be careful if one asks you to disable security tools or run unrelated software.
• The mod is actively maintained: Not a hard requirement, but mods that haven’t been updated in years could have undiscovered vulnerabilities like BleedingPipe and put your device at risk.

How to stay safe on CurseForge

Besides thoroughly vetting the mods you install, the following tips should prevent in-game issues and potential attacks:

• Use a capable antivirus: Reputable anti-malware software, or even running the files through a tool like VirusTotal should help you suss out most infected mods.
• Stick to the CurseForge launcher: Not all third-party launchers are bad (see alternatives like Prism Launcher and ATLauncher). If you’re unsure what they do or can’t find much information about them, it’s best to avoid them.
• Back up your files before installing mods: Even if a mod turns up clean, there’s always a chance it could mess with your game files or cause compatibility issues. Back up your Minecraft world, The Sims 4 saves, and important files on your hard drive before installing anything more involved than a texture mod.
• Keep everything updated: This includes your OS, game(s), launcher, mods, and any software you use regularly. Updates often fix security flaws that attackers can exploit.

Is CurseForge safe? FAQs