{"url":"http://public2.vulnerablecode.io/api/packages/516927?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@3.8.7","type":"composer","namespace":"pocketmine","name":"pocketmine-mp","version":"3.8.7","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"5.42.1","latest_non_vulnerable_version":"5.42.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11672?format=json","vulnerability_id":"VCID-2d6r-as3y-43h9","summary":"PocketMine-MP BookEditPacket crash when inventory slot in the packet is invalid\n### Summary\nIf a client sends a BookEditPacket with InventorySlot greater than 35, the server will crash due to an unhandled exception thrown by `BaseInventory->getItem()`.\n\n### Details\nCrashes at https://github.com/pmmp/PocketMine-MP/blob/b744e09352a714d89220719ab6948a010ac636fc/src/network/mcpe/handler/InGamePacketHandler.php#L873\n\n### PoC\nUsing Gophertunnel, use `serverConn.WritePacket(&packet.BookEdit{InventorySlot: 36})`\n\n### Impact\nServer crash, all servers\n\n### Patched versions\nThis issue was fixed by 47f011966092f275cc1b11f8de635e89fd9651a7, and the fix was released in 5.11.2.","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/blob/b744e09352a714d89220719ab6948a010ac636fc/src/network/mcpe/handler/InGamePacketHandler.php#L873","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/blob/b744e09352a714d89220719ab6948a010ac636fc/src/network/mcpe/handler/InGamePacketHandler.php#L873"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/47f011966092f275cc1b11f8de635e89fd9651a7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/47f011966092f275cc1b11f8de635e89fd9651a7"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-xc7j-wj36-qjfr","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-xc7j-wj36-qjfr"},{"reference_url":"https://github.com/advisories/GHSA-xc7j-wj36-qjfr","reference_id":"GHSA-xc7j-wj36-qjfr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xc7j-wj36-qjfr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33973?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@5.11.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-8rhq-qv5w-zyfj"},{"vulnerability":"VCID-acwe-9my2-xuef"},{"vulnerability":"VCID-cssn-z8xt-afdk"},{"vulnerability":"VCID-ka25-znbz-zuh8"},{"vulnerability":"VCID-wf67-p6fh-hkcu"},{"vulnerability":"VCID-zf3w-3xh6-bqa1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@5.11.2"}],"aliases":["GHSA-xc7j-wj36-qjfr"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2d6r-as3y-43h9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11489?format=json","vulnerability_id":"VCID-4t87-31wu-3ygb","summary":"PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (3rd time)\n### Impact\nAn attacker could crash PocketMine-MP by sending malformed JSON in LoginPacket.\n\n[netresearch/jsonmapper](https://github.com/cweiske/JsonMapper) allows objects to be hydrated from scalar types in JSON. However, due to the lack of validation in the code for this feature, it may output improperly initialized objects if applied to objects whose constructors don't handle the input values.\n\nCode handling these objects in PocketMine-MP could then crash due to `@required` properties not being set within the objects.\n\nIn addition, because JsonMapper does not respect `bStrictObjectTypes` when processing arrays, it's not possible to avoid the issue by disabling the feature.\n\nDue to the relatively high number of security issues arising from unexpected behaviour in JsonMapper, the team is exploring options to replace it.\n\n### Patches\nIn the meantime, the issue was fixed by pmmp/netresearch-jsonmapper@b96a209f9e8b76b899a0d0918493cd87eb3c02a7 and 6872661fd03649cc7a8762c41c16e9ee5a4de1c9.\n\n### Workarounds\nDetecting the malicious data that triggers this issue is of rather high difficulty, so it's not likely that a plugin would be able to easily remediate this.\n\n### References\nhttps://github.com/cweiske/jsonmapper/pull/225\nhttps://github.com/cweiske/jsonmapper/issues/226","references":[{"reference_url":"https://github.com/cweiske/jsonmapper/issues/226","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cweiske/jsonmapper/issues/226"},{"reference_url":"https://github.com/cweiske/jsonmapper/pull/225","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cweiske/jsonmapper/pull/225"},{"reference_url":"https://github.com/pmmp/netresearch-jsonmapper/commit/b96a209f9e8b76b899a0d0918493cd87eb3c02a7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/netresearch-jsonmapper/commit/b96a209f9e8b76b899a0d0918493cd87eb3c02a7"},{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/6872661fd03649cc7a8762c41c16e9ee5a4de1c9","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/6872661fd03649cc7a8762c41c16e9ee5a4de1c9"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h6j3-j35f-v2x7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h6j3-j35f-v2x7"},{"reference_url":"https://github.com/advisories/GHSA-h6j3-j35f-v2x7","reference_id":"GHSA-h6j3-j35f-v2x7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h6j3-j35f-v2x7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33362?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@5.11.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2d6r-as3y-43h9"},{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-8rhq-qv5w-zyfj"},{"vulnerability":"VCID-acwe-9my2-xuef"},{"vulnerability":"VCID-cssn-z8xt-afdk"},{"vulnerability":"VCID-ka25-znbz-zuh8"},{"vulnerability":"VCID-wf67-p6fh-hkcu"},{"vulnerability":"VCID-zf3w-3xh6-bqa1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@5.11.1"}],"aliases":["GHSA-h6j3-j35f-v2x7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4t87-31wu-3ygb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49128?format=json","vulnerability_id":"VCID-5a2c-344g-4uen","summary":"Insufficient type validation in pocketmine/pocketmine-mp\n### Impact\nWhen an inventory interaction is performed (e.g. moving an item around an inventory), the client sends a serialized version of the itemstack to the server, which the server then deserializes and compares against its own copy. If the copies don't match, the transaction is invalid.\n\nThis involves deserializing item NBT from the client, which allows for bogus data to be provided. Usually, this is harmless, but in this particular case, it could result in crashes on certain types of bad data (e.g. incorrect ListTag type provided for the `CanDestroy` tag).\n\n### Patches\nThis is fixed in 4.2.9 by commit 5a98b08ee8dc8ff14862cd83d2e4af9d212fefc2.\n\n### Workarounds\nIt's non-trivial to workaround this, but can be done by handling `InventoryTransactionPacket` and `PlayerAuthInputPacket` to scrub inbound transaction data of bogus NBT that would cause these crashes.\n\n### For more information\n* Email us at [team@pmmp.io](mailto:team@pmmp.io)","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/blob/4.2.9/changelogs/4.2.md#429","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/blob/4.2.9/changelogs/4.2.md#429"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/5a98b08ee8dc8ff14862cd83d2e4af9d212fefc2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/5a98b08ee8dc8ff14862cd83d2e4af9d212fefc2"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/releases/tag/4.2.9","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/releases/tag/4.2.9"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-g5rr-p69h-7v3g","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-g5rr-p69h-7v3g"},{"reference_url":"https://github.com/advisories/GHSA-g5rr-p69h-7v3g","reference_id":"GHSA-g5rr-p69h-7v3g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g5rr-p69h-7v3g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85059?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.2.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2d6r-as3y-43h9"},{"vulnerability":"VCID-4t87-31wu-3ygb"},{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-8bgq-t88m-a7dq"},{"vulnerability":"VCID-8rhq-qv5w-zyfj"},{"vulnerability":"VCID-acwe-9my2-xuef"},{"vulnerability":"VCID-c2yy-ttxx-z7ah"},{"vulnerability":"VCID-cn29-6jf2-fqdp"},{"vulnerability":"VCID-cssn-z8xt-afdk"},{"vulnerability":"VCID-j7pz-q84v-n7cx"},{"vulnerability":"VCID-ka25-znbz-zuh8"},{"vulnerability":"VCID-qma9-jppx-2bhy"},{"vulnerability":"VCID-qws7-x463-8ffa"},{"vulnerability":"VCID-u5tq-6cvu-bygb"},{"vulnerability":"VCID-wf67-p6fh-hkcu"},{"vulnerability":"VCID-zf3w-3xh6-bqa1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.2.9"}],"aliases":["GHSA-g5rr-p69h-7v3g","GMS-2022-913"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5a2c-344g-4uen"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/17483?format=json","vulnerability_id":"VCID-6hed-1yz7-77eb","summary":"PocketMine-MP: LogDoS by large complex unknown property logging in clientData in LoginPacket\n### Impact\n\nAttackers can put large and/or complex structures as a value to an unknown property in the clientData JWT body in the Minecraft `LoginPacket`, causing the server to generate very long log messages.\nAdditionally, the property name is logged without any length limitations or sanitization, which can also be abused for LogDoS.\n\nThis may be used to spam the log/console, waste CPU time serializing the offending structure, and potentially to crash the server entirely.\n\nThis happens because the JsonMapper instance used to process the JWT body is configured to warn on unexpected properties instead of rejecting them outright. While this behaviour increases flexibility for random changes introduced by Microsoft, it also creates vulnerabilities if not handled carefully.\n\nThis vulnerability affects PocketMine-MP servers exposed to a public network where unknown actors may have access.\n\n### PoC\n1. Connect to the server using a custom client.\n\n2. Send a Minecraft `LoginPacket` containing an unexpected JSON property (e.g., invalid_key) within the ClientData.\n\n3. Set the value of invalid_key to a highly recursive or massive object structure (e.g., an array containing millions of elements or deeply nested arrays).\n\n4. The server hits the `warnUndefinedJsonPropertyHandler`, which attempts to var_export the malicious object, leading to an Out-of-Memory crash.\n\n```\nA := make([]interface{}, 1)\n\tptr := &A\n\tfor i := 0; i < 500; i++ {\n\t\tnext := make([]interface{}, 1000)\n\t\t(*ptr)[0] = next\n\t\tptr = &next\n\t}\n\tdata := make([]int, 2000000)\n\tfor i := 0; i < 100; i++ {\n\t\tdata[i] = i\n\t}\n\t(*ptr)[0] = data\n\td.PlayFabID = A\n ```\n\n### Patches\nThe issue was addressed in https://github.com/pmmp/PocketMine-MP/commit/87d1c0cea09d972fd4c2fafb84dac2ecab7649f0 by removing the relevant `var_export` and limiting the length of the logged property name to 80 characters.\n\n### Workarounds\nPlugins can handle `DataPacketReceiveEvent` to capture `LoginPacket`, and pre-process the clientData JWT to ensure it doesn't have any unusual properties in it. This can be achieved using `JsonMapper` (see the original affected code below) and setting the `bExceptionOnUndefinedProperty` flag to `true`. A `JsonMapper_Exception` will be thrown if the JWT is problematic.\n\nHowever, it's important to caveat that this approach may cause login failures if any unexpected properties appear out of the blue in future versions (which has happened in the past).","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/blob/5.41.0/src/network/mcpe/handler/LoginPacketHandler.php#L288-L302","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/blob/5.41.0/src/network/mcpe/handler/LoginPacketHandler.php#L288-L302"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/blob/5.41.0/src/network/mcpe/handler/LoginPacketHandler.php#L333-L349","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/blob/5.41.0/src/network/mcpe/handler/LoginPacketHandler.php#L333-L349"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/87d1c0cea09d972fd4c2fafb84dac2ecab7649f0","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/87d1c0cea09d972fd4c2fafb84dac2ecab7649f0"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h6rj-3m53-887h","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h6rj-3m53-887h"},{"reference_url":"https://github.com/advisories/GHSA-h6rj-3m53-887h","reference_id":"GHSA-h6rj-3m53-887h","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-h6rj-3m53-887h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/50536?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@5.41.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ka25-znbz-zuh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@5.41.1"}],"aliases":["GHSA-h6rj-3m53-887h"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6hed-1yz7-77eb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38760?format=json","vulnerability_id":"VCID-8bgq-t88m-a7dq","summary":"PocketMine-MP vulnerable to improperly checked dropped item count leading to server crash\n### Impact\nIn 4.18.0, the network handling of inventories was completely revamped. Due to this, a bug was introduced which allowed players to request that the server drop more of an item than they had available in their hotbar.\n\nThis did not lead to any duplication issues, but instead led to a server crash, and is believed to have been exploited in the wild.\n\n### Patches\nThis was fixed in 58974765a68f63a9968a7ff3a06f584ff2ee08d2, which was released in 4.18.1.\n\n### Workarounds\nHandle `InventoryTransactionPacket` in `DataPacketReceiveEvent`, and verify that the item count dropped isn't more than the available item count. However, it's complicated to do this, so it's not recommended.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-7332","reference_id":"","reference_type":"","scores":[{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53475","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-7332"},{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/blob/4.18.1/changelogs/4.18.md#4181","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/blob/4.18.1/changelogs/4.18.md#4181"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/58974765a68f63a9968a7ff3a06f584ff2ee08d2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/58974765a68f63a9968a7ff3a06f584ff2ee08d2"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h87r-f4vc-mchv","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-02T14:17:28Z/"}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h87r-f4vc-mchv"},{"reference_url":"https://www.cve.org/cverecord?id=CVE-2023-7332","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cve.org/cverecord?id=CVE-2023-7332"},{"reference_url":"https://www.vulncheck.com/advisories/pocketmine-mp-improper-validation-of-dropped-item-count-allows-remote-server-crash","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-02T14:17:28Z/"}],"url":"https://www.vulncheck.com/advisories/pocketmine-mp-improper-validation-of-dropped-item-count-allows-remote-server-crash"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/blob/4.18.1/changelogs/4.18.md","reference_id":"4.18.md","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-02T14:17:28Z/"}],"url":"https://github.com/pmmp/PocketMine-MP/blob/4.18.1/changelogs/4.18.md"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/5897476","reference_id":"5897476","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-02T14:17:28Z/"}],"url":"https://github.com/pmmp/PocketMine-MP/commit/5897476"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-7332","reference_id":"CVE-2023-7332","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-7332"},{"reference_url":"https://github.com/advisories/GHSA-h87r-f4vc-mchv","reference_id":"GHSA-h87r-f4vc-mchv","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-h87r-f4vc-mchv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72006?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.18.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2d6r-as3y-43h9"},{"vulnerability":"VCID-4t87-31wu-3ygb"},{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-8rhq-qv5w-zyfj"},{"vulnerability":"VCID-acwe-9my2-xuef"},{"vulnerability":"VCID-cssn-z8xt-afdk"},{"vulnerability":"VCID-ka25-znbz-zuh8"},{"vulnerability":"VCID-qma9-jppx-2bhy"},{"vulnerability":"VCID-u5tq-6cvu-bygb"},{"vulnerability":"VCID-wf67-p6fh-hkcu"},{"vulnerability":"VCID-zf3w-3xh6-bqa1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.18.1"}],"aliases":["CVE-2023-7332","GHSA-h87r-f4vc-mchv","GMS-2023-1797"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8bgq-t88m-a7dq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/17186?format=json","vulnerability_id":"VCID-8rhq-qv5w-zyfj","summary":"PocketMine-MP: Player entities can still die and drop items in flaggedForDespawn state\n### Summary\nWhen an entity dies, the entity is flagged for despawn, but remains in the `World`'s entity table, meaning it's still accessible by doing `World->getEntity($entityId)` and other methods. The same is true of a player when quitting the server.\n\nWhen a network packet arrives from a client to attack an entity, the handler fetches the entity using `World->getEntity($entityId)` without any checks if the entity is already marked for despawning. Depending on the timing, the entity in question might already be in the flagged-for-despawn state when the action is processed. This means that the death handler for the entity might be run multiple times, causing loot and XP to be dropped multiple times, among other potential side effects.\n\n### Reproducing steps\nTo reproduce this vulnerability, two clients (Player A and Player B) are required.\n\nPrerequisites:\n    - Player A (Victim): Must have the valuable items to be duplicated in their inventory and 1 HP (to ensure instant death).\n    - Player B (Attacker): Must be equipped with a weapon capable of dealing at least 1 damage.\n\nSteps:\n    1. Player A and Player B stand next to each other.\n    2. Player A initiates the disconnect sequence (e.g., clicking \"Disconnect\" or \"Exit to Menu\").\n    3. Immediately after Player A triggers the disconnect (within a split-second window), Player B must attack and kill Player A.\n    4. Player A's character dies server-side, and their inventory drops on the ground.\n    5. Player B collects the dropped items.\n    6. Player A logs back into the server.\n    7. Result: Player A still possesses the original items in their inventory, while Player B holds the dropped copies.\n\n### Patches\nThe issue was fixed in https://github.com/pmmp/PocketMine-MP/commit/c0719b76b18f2508143134e79bc9f1aa39109683 by adding checks for flagged-for-despawn entities in several affected locations.\n\nWhile a cleaner fix would be to have `World`'s various entity accessing methods exclude flagged-for-despawn entities, this was deemed too risky for 5.x as it would require significant internal changes.\n\n### Workarounds\nPlugins can mitigate this issue on older versions by handling `EntityDamageByEntityEvent`, checking if the victim entity is flagged for despawn, and if so, cancelling the event.","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/c0719b76b18f2508143134e79bc9f1aa39109683","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/c0719b76b18f2508143134e79bc9f1aa39109683"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-f9jp-856v-8642","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-f9jp-856v-8642"},{"reference_url":"https://github.com/advisories/GHSA-f9jp-856v-8642","reference_id":"GHSA-f9jp-856v-8642","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f9jp-856v-8642"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/45537?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@5.39.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-ka25-znbz-zuh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@5.39.2"}],"aliases":["GHSA-f9jp-856v-8642"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8rhq-qv5w-zyfj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15450?format=json","vulnerability_id":"VCID-acwe-9my2-xuef","summary":"PocketMine-MP: JSON decoding of unlimited size large arrays/objects in ModalFormResponse Handling\n### Impact\n\nThe server does not meaningfully limit the size of the JSON payload in `ModalFormResponsePacket`. This can be abused by an attacker to waste memory and CPU on an affected server, e.g. by sending arrays with millions of elements.\n\nThe player must have a full session on the server (i.e. spawned in the world) to exploit this, as form responses are not handled unless the player is in game.\n\n### Patches\nThe issue was fixed in two parts:\n- cef1088341e40ee7a6fa079bca47a84f3524d877 limits the size of a single form response to 10 KB, which is well above expected size, but low enough to prevent abuse\n- f983f4f66d5e72d7a07109c8175799ab0ee771d5 avoids decoding the form response if there is no form associated with the given ID\n\n### Workarounds\nThis issue can be worked around in a plugin using `DataPacketReceiveEvent` by:\n- checking the max size of the `formData` field\n- making sure the form ID is not repeated\n\nHowever, a full workaround for the issue would require reflection to access the `Player->forms` property, which is not exposed via any accessible API prior to 5.39.2.\n\n### PoC\n\n1. Join a PocketMine-MP server as a regular player (no special permissions needed).\n2. Use a modified client or packet-sending script to send a `ModalFormResponsePacket` with:\n\n   * Any non-existent `formId`\n   * `formData` containing a massive JSON array (e.g., 10+ MB payload).\n3. The server will attempt to parse the JSON and may freeze or become unresponsive.\n\nExample NodeJS pseudocode:\n\n```javascript\nimport { createClient } from 'bedrock-protocol';\n\nconst host = '127.0.0.1';\nconst port = 19132;\nconst username = 'Test';\n\nconst client = createClient({\n  host,\n  port,\n  username,\n  offline: true\n});\n\nconst hugePayload = '[' + '0,'.repeat(5_000_000) + '0]';\n\nclient.on('spawn', () => {\n  console.log('[*] Connected & spawned. Sending malicious packet...');\n\n  client.write('modal_form_response', {\n    formId: 9999,       // Form inexistant\n    formData: hugePayload // JSON énorme\n  });\n\n  console.log('[*] Packet sent. The server should start freezing shortly.');\n});\n```","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/cef1088341e40ee7a6fa079bca47a84f3524d877","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/cef1088341e40ee7a6fa079bca47a84f3524d877"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/f983f4f66d5e72d7a07109c8175799ab0ee771d5","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/f983f4f66d5e72d7a07109c8175799ab0ee771d5"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-788v-5pfp-93ff","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-788v-5pfp-93ff"},{"reference_url":"https://github.com/advisories/GHSA-788v-5pfp-93ff","reference_id":"GHSA-788v-5pfp-93ff","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-788v-5pfp-93ff"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/45537?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@5.39.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-ka25-znbz-zuh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@5.39.2"}],"aliases":["GHSA-788v-5pfp-93ff"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-acwe-9my2-xuef"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36171?format=json","vulnerability_id":"VCID-cn29-6jf2-fqdp","summary":"PocketMine-MP has improperly handled dye colour IDs in banner NBT, leading to server crash\n### Impact\n`DyeColorIdMap->fromId()` did not account for the possibility that it might be given invalid input. This means that an undefined offset error would occur whenever this happened.\n\nThis code is indirectly called during [`Banner->deserializeCompoundTag()`](https://github.com/pmmp/PocketMine-MP/blob/38d6284671e8b657ba557e765a6c29b24a7705f5/src/item/Banner.php#L104), which is invoked when deserializing any item NBT, whether from network or disk.\n\nAn attacker could use this bug to crash a server by providing NBT with invalid values for pattern colours in an inventory transaction, or by using `/give` to obtain an item with NBT like this.\n\n### Patches\n08b9495bce2d65a6d1d3eeb76e484499a00765eb\n\n### Workarounds\nThis is quite difficult to work around via a plugin. Theoretically, it's possible to override the `Banner` item class from a plugin and validate the data before it reaches `deserializeCompoundTag()`.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [security@pmmp.io](mailto:security@pmmp.io)","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/blob/38d6284671e8b657ba557e765a6c29b24a7705f5/src/item/Banner.php#L104","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/blob/38d6284671e8b657ba557e765a6c29b24a7705f5/src/item/Banner.php#L104"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/08b9495bce2d65a6d1d3eeb76e484499a00765eb","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/08b9495bce2d65a6d1d3eeb76e484499a00765eb"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-wqqv-jcfr-9f5g","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-wqqv-jcfr-9f5g"},{"reference_url":"https://github.com/advisories/GHSA-wqqv-jcfr-9f5g","reference_id":"GHSA-wqqv-jcfr-9f5g","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-wqqv-jcfr-9f5g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68512?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2d6r-as3y-43h9"},{"vulnerability":"VCID-4t87-31wu-3ygb"},{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-8bgq-t88m-a7dq"},{"vulnerability":"VCID-8rhq-qv5w-zyfj"},{"vulnerability":"VCID-acwe-9my2-xuef"},{"vulnerability":"VCID-cssn-z8xt-afdk"},{"vulnerability":"VCID-j7pz-q84v-n7cx"},{"vulnerability":"VCID-ka25-znbz-zuh8"},{"vulnerability":"VCID-qma9-jppx-2bhy"},{"vulnerability":"VCID-u5tq-6cvu-bygb"},{"vulnerability":"VCID-wf67-p6fh-hkcu"},{"vulnerability":"VCID-zf3w-3xh6-bqa1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.8.1"}],"aliases":["GHSA-wqqv-jcfr-9f5g"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cn29-6jf2-fqdp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18142?format=json","vulnerability_id":"VCID-cssn-z8xt-afdk","summary":"PocketMine-MP: Network amplification vulnerability with `ActorEventPacket`\n### Impact\nThe server handles `ActorEventPacket` to trigger consuming animations from vanilla clients when they eat food or drink potions.\n\nThis can be abused to make the server spam other clients, and to waste server CPU and memory. For every `ActorEventPacket` sent by the client, an animation event will be sent to every other player the attacker is visible to.\n\nThis is similar to various other vulnerabilities which were fixed in the network overhaul of PM4 (e.g. `AnimatePacket` and `LevelSoundEventPacket`), but somehow this one slipped through the net.\n\n### Patches\nThe problem was addressed in aeea1150a772a005b92bd418366f1b7cf1a91ab5 by changing the mechanism for consuming animations to be fully controlled by the server. `ActorEventPacket` from the client is now discarded.\n\n### Workarounds\nA plugin could use `DataPacketDecodeEvent` to rate-limit `ActorEventPacket` to prevent the attack.","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/aeea1150a772a005b92bd418366f1b7cf1a91ab5","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/aeea1150a772a005b92bd418366f1b7cf1a91ab5"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-7hmv-4j2j-pp6f","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-7hmv-4j2j-pp6f"},{"reference_url":"https://github.com/advisories/GHSA-7hmv-4j2j-pp6f","reference_id":"GHSA-7hmv-4j2j-pp6f","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7hmv-4j2j-pp6f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/45537?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@5.39.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-ka25-znbz-zuh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@5.39.2"}],"aliases":["GHSA-7hmv-4j2j-pp6f"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cssn-z8xt-afdk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51724?format=json","vulnerability_id":"VCID-drmb-5nh6-dycy","summary":"NaN/INF in serverbound movement packets can crash clients and servers\n### Impact\nA malicious client may send a `MovePlayerPacket` to the server whose position or rotation contains NaN or INF. Since neither the server nor vanilla client handles this properly, a number of interesting side effects come into play.\n\n- The server may crash in various ways if this exploit is used, because some mathematical operations on NaN/INF generate PHP warnings, which are converted into exceptions.\n- Clients may not be able to see other clients who have a NaN/INF rotation.\n- Clients may also crash in such cases.\n\n### Patches\nA patch for this was included in the 3.18.1 release: https://github.com/pmmp/PocketMine-MP/commit/fb20bb38327b4c08ee3976640cd0dd547388a638\n\n### Workarounds\nWorkarounds could be implemented as plugins using `DataPacketReceiveEvent` to block any inbound movement packets containing bogus values.\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [pmmp/PocketMine-MP](https://github.com/pmmp/PocketMine-MP)\n- Email us at [team@pmmp.io](mailto:team@pmmp.io)","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-fm35-jgg3-3grx","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-fm35-jgg3-3grx"},{"reference_url":"https://github.com/advisories/GHSA-fm35-jgg3-3grx","reference_id":"GHSA-fm35-jgg3-3grx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fm35-jgg3-3grx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/88029?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@3.18.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2d6r-as3y-43h9"},{"vulnerability":"VCID-4t87-31wu-3ygb"},{"vulnerability":"VCID-5a2c-344g-4uen"},{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-8bgq-t88m-a7dq"},{"vulnerability":"VCID-8rhq-qv5w-zyfj"},{"vulnerability":"VCID-acwe-9my2-xuef"},{"vulnerability":"VCID-cn29-6jf2-fqdp"},{"vulnerability":"VCID-cssn-z8xt-afdk"},{"vulnerability":"VCID-e3zr-dpm8-9ybw"},{"vulnerability":"VCID-e4m7-6y9j-57db"},{"vulnerability":"VCID-j7pz-q84v-n7cx"},{"vulnerability":"VCID-ka25-znbz-zuh8"},{"vulnerability":"VCID-kbsa-tavc-hbf3"},{"vulnerability":"VCID-qma9-jppx-2bhy"},{"vulnerability":"VCID-qws7-x463-8ffa"},{"vulnerability":"VCID-snq9-y2cc-rqb7"},{"vulnerability":"VCID-u17s-xnfv-pfem"},{"vulnerability":"VCID-u5tq-6cvu-bygb"},{"vulnerability":"VCID-vfsu-u58e-x7aw"},{"vulnerability":"VCID-wf67-p6fh-hkcu"},{"vulnerability":"VCID-zf3w-3xh6-bqa1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@3.18.1"}],"aliases":["GHSA-fm35-jgg3-3grx","GMS-2022-454"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-drmb-5nh6-dycy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49752?format=json","vulnerability_id":"VCID-e3zr-dpm8-9ybw","summary":"Unchecked validity of Facing values in PlayerActionPacket\n### Impact\nA remote attacker may crash a server by sending `PlayerActionPacket` with invalid facing values (e.g. negative), specifically with `START_BREAK` or `CRACK_BLOCK` actions, or with a `UseItemTransactionData` (typically in `InventoryTransactionPacket`).\n\n### Patches\nf126479c37ff00a717a828f5271cf8e821d12d6c\n\n### Workarounds\nUsing a plugin, cancel `DataPacketReceiveEvent` if the packet is `PlayerActionPacket` and the facing is outside the range 0-5 when receiving START_BREAK or CRACK_BLOCK actions, or UseItemTransactionData. However, beware that negative values may be legitimate in some cases.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [team@pmmp.io](mailto:team@pmmp.io)","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/f126479c37ff00a717a828f5271cf8e821d12d6c","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/f126479c37ff00a717a828f5271cf8e821d12d6c"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-xh99-hw7h-wf63","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-xh99-hw7h-wf63"},{"reference_url":"https://github.com/advisories/GHSA-xh99-hw7h-wf63","reference_id":"GHSA-xh99-hw7h-wf63","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xh99-hw7h-wf63"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85725?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2d6r-as3y-43h9"},{"vulnerability":"VCID-4t87-31wu-3ygb"},{"vulnerability":"VCID-5a2c-344g-4uen"},{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-8bgq-t88m-a7dq"},{"vulnerability":"VCID-8rhq-qv5w-zyfj"},{"vulnerability":"VCID-acwe-9my2-xuef"},{"vulnerability":"VCID-c2yy-ttxx-z7ah"},{"vulnerability":"VCID-cn29-6jf2-fqdp"},{"vulnerability":"VCID-cssn-z8xt-afdk"},{"vulnerability":"VCID-j7pz-q84v-n7cx"},{"vulnerability":"VCID-ka25-znbz-zuh8"},{"vulnerability":"VCID-qma9-jppx-2bhy"},{"vulnerability":"VCID-qws7-x463-8ffa"},{"vulnerability":"VCID-u5tq-6cvu-bygb"},{"vulnerability":"VCID-vfsu-u58e-x7aw"},{"vulnerability":"VCID-wf67-p6fh-hkcu"},{"vulnerability":"VCID-xb13-r3tg-qkgc"},{"vulnerability":"VCID-zf3w-3xh6-bqa1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.0.6"}],"aliases":["GHSA-xh99-hw7h-wf63","GMS-2022-27"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e3zr-dpm8-9ybw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49771?format=json","vulnerability_id":"VCID-e4m7-6y9j-57db","summary":"Book page text, count, and author/title length is not limited in PocketMine-MP\n### Impact\nPlayers can fill book pages with as many characters as they like; the server does not check this.\nIn addition, the maximum of 50 pages is also not enforced, meaning that players can create \"book bombs\".\n\nThis causes a variety of problems:\n- Oversized NBT on the wire costing excess bandwidth for server and client\n- Server crashes when saving region-based worlds due to exceeding maximum chunk size of 1 MB (PM3-specific)\n- Server crashes if any book page exceeds 32 KiB (due to TAG_String size limit) (PM4-specific)\n\nThis does, however, require that an attacker obtain a writable book in the first place in order to exploit the problem.\n\n### Patches\nThe bug has been fixed in 3.26.5 and 4.0.5.\n\n### Workarounds\nBan writable books, or use a plugin to cancel `PlayerEditBookEvent` to cancel the event if `strlen(text) > 1024 || mb_strlen(text) > 256`.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [team@pmmp.io](mailto:team@pmmp.io)","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-p62j-hrxm-xcxf","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-p62j-hrxm-xcxf"},{"reference_url":"https://github.com/advisories/GHSA-p62j-hrxm-xcxf","reference_id":"GHSA-p62j-hrxm-xcxf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p62j-hrxm-xcxf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85634?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@3.26.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2d6r-as3y-43h9"},{"vulnerability":"VCID-4t87-31wu-3ygb"},{"vulnerability":"VCID-5a2c-344g-4uen"},{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-8bgq-t88m-a7dq"},{"vulnerability":"VCID-8rhq-qv5w-zyfj"},{"vulnerability":"VCID-acwe-9my2-xuef"},{"vulnerability":"VCID-cn29-6jf2-fqdp"},{"vulnerability":"VCID-cssn-z8xt-afdk"},{"vulnerability":"VCID-e3zr-dpm8-9ybw"},{"vulnerability":"VCID-j7pz-q84v-n7cx"},{"vulnerability":"VCID-ka25-znbz-zuh8"},{"vulnerability":"VCID-qma9-jppx-2bhy"},{"vulnerability":"VCID-qws7-x463-8ffa"},{"vulnerability":"VCID-u17s-xnfv-pfem"},{"vulnerability":"VCID-u5tq-6cvu-bygb"},{"vulnerability":"VCID-vfsu-u58e-x7aw"},{"vulnerability":"VCID-wf67-p6fh-hkcu"},{"vulnerability":"VCID-zf3w-3xh6-bqa1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@3.26.5"},{"url":"http://public2.vulnerablecode.io/api/packages/85635?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2d6r-as3y-43h9"},{"vulnerability":"VCID-4t87-31wu-3ygb"},{"vulnerability":"VCID-5a2c-344g-4uen"},{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-8bgq-t88m-a7dq"},{"vulnerability":"VCID-8rhq-qv5w-zyfj"},{"vulnerability":"VCID-acwe-9my2-xuef"},{"vulnerability":"VCID-c2yy-ttxx-z7ah"},{"vulnerability":"VCID-cn29-6jf2-fqdp"},{"vulnerability":"VCID-cssn-z8xt-afdk"},{"vulnerability":"VCID-e3zr-dpm8-9ybw"},{"vulnerability":"VCID-j7pz-q84v-n7cx"},{"vulnerability":"VCID-ka25-znbz-zuh8"},{"vulnerability":"VCID-qma9-jppx-2bhy"},{"vulnerability":"VCID-qws7-x463-8ffa"},{"vulnerability":"VCID-u5tq-6cvu-bygb"},{"vulnerability":"VCID-vfsu-u58e-x7aw"},{"vulnerability":"VCID-wf67-p6fh-hkcu"},{"vulnerability":"VCID-xb13-r3tg-qkgc"},{"vulnerability":"VCID-zf3w-3xh6-bqa1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.0.5"}],"aliases":["GHSA-p62j-hrxm-xcxf","GMS-2022-4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e4m7-6y9j-57db"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38938?format=json","vulnerability_id":"VCID-j7pz-q84v-n7cx","summary":"PocketMine MP vulnerable to uncontrolled resource consumption via mismatched type of 'InventoryTransactionPacket'\n### Impact\nA \"mismatch\" type `InventoryTransactionPacket` is sent by the client to request a resync of all currently open inventories.\n\nSince PocketMine-MP does not rate-limit these \"mismatch\" transactions, and the syncing of inventories is not deferred until, e.g. the end of the current tick, they can be used as a very cheap bandwidth multiplier by making the server send out many MB of data (network serialized inventory items can be very large, especially when dealing with large amounts of NBT).\n\nThis is not currently known to have been exploited in the wild.\n\n### Patches\nThis problem was fixed in 4.18.0-ALPHA2 by ca6d51498f12427a947467da8fcad7811418e6cc alongside the introduction of the `ItemStackRequest` system implementation.\n\n### Workarounds\nPlugins can handle `DataPacketReceiveEvent` for `InventoryTransactionPacket` and check if the type is `MismatchTransactionData`. If it is, apply some kind of rate limit (e.g. max 1 per tick).","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/blob/4.18.0-ALPHA2/changelogs/4.18-alpha.md#4180-ALPHA2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/blob/4.18.0-ALPHA2/changelogs/4.18-alpha.md#4180-ALPHA2"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-42qm-8v8m-m78c","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-42qm-8v8m-m78c"},{"reference_url":"https://github.com/advisories/GHSA-42qm-8v8m-m78c","reference_id":"GHSA-42qm-8v8m-m78c","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-42qm-8v8m-m78c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72234?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.18.0-ALPHA2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2d6r-as3y-43h9"},{"vulnerability":"VCID-4t87-31wu-3ygb"},{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-8bgq-t88m-a7dq"},{"vulnerability":"VCID-8rhq-qv5w-zyfj"},{"vulnerability":"VCID-acwe-9my2-xuef"},{"vulnerability":"VCID-cssn-z8xt-afdk"},{"vulnerability":"VCID-ka25-znbz-zuh8"},{"vulnerability":"VCID-qma9-jppx-2bhy"},{"vulnerability":"VCID-u5tq-6cvu-bygb"},{"vulnerability":"VCID-wf67-p6fh-hkcu"},{"vulnerability":"VCID-zf3w-3xh6-bqa1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.18.0-ALPHA2"}],"aliases":["GHSA-42qm-8v8m-m78c","GMS-2023-1728"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j7pz-q84v-n7cx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/17518?format=json","vulnerability_id":"VCID-ka25-znbz-zuh8","summary":"PocketMine-MP has LogDoS by many junk properties in client data JWT in LoginPacket\n### Impact\n\nAttackers can fill the body of the clientData JWT in LoginPacket with lots of junk properties, causing the server to flood warning messages, as well as wasting CPU time.\n\nThis happens because the JsonMapper instance used to process the JWT body is configured to warn on unexpected properties instead of rejecting them outright. While this behaviour increases flexibility for random changes introduced by Microsoft, it also creates vulnerabilities if not handled carefully.\n\nThis vulnerability affects PocketMine-MP servers exposed to a public network where unknown actors may have access.\n\n### Patches\n\nThis issue was fixed in c1d4a813fb8c21bfd8b9affd040da864b794df71 by restricting the number of unknown properties to 10, and rejecting the packet if this limit is exceeded. This continues to tolerate random additions to the JWT between versions, while preventing the logger from being abused by clients to slow down the server.\n\n### Workarounds\nPlugins can handle `DataPacketReceiveEvent` to capture `LoginPacket`, and pre-process the clientData JWT to ensure it doesn't have any unusual properties in it. This can be achieved using `JsonMapper` (see the original affected code below) and setting the `bExceptionOnUndefinedProperty` flag to `true`. A `JsonMapper_Exception` will be thrown if the JWT is problematic.\n\nHowever, it's important to caveat that this approach may cause login failures if any unexpected properties appear out of the blue in future versions (which has happened in the past).\n\n### References\nAffected code:\n\nhttps://github.com/pmmp/PocketMine-MP/blob/5.41.1/src/network/mcpe/handler/LoginPacketHandler.php#L289-L303\nhttps://github.com/pmmp/PocketMine-MP/blob/5.41.1/src/network/mcpe/handler/LoginPacketHandler.php#L334-L350","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/blob/5.41.1/src/network/mcpe/handler/LoginPacketHandler.php#L289-L303","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/blob/5.41.1/src/network/mcpe/handler/LoginPacketHandler.php#L289-L303"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/blob/5.41.1/src/network/mcpe/handler/LoginPacketHandler.php#L334-L350","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/blob/5.41.1/src/network/mcpe/handler/LoginPacketHandler.php#L334-L350"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/c1d4a813fb8c21bfd8b9affd040da864b794df71","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/c1d4a813fb8c21bfd8b9affd040da864b794df71"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-xp4f-g2cm-rhg7","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-xp4f-g2cm-rhg7"},{"reference_url":"https://github.com/advisories/GHSA-xp4f-g2cm-rhg7","reference_id":"GHSA-xp4f-g2cm-rhg7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-xp4f-g2cm-rhg7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/50564?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@5.42.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@5.42.1"}],"aliases":["GHSA-xp4f-g2cm-rhg7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ka25-znbz-zuh8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42552?format=json","vulnerability_id":"VCID-kbsa-tavc-hbf3","summary":"Inability to de-op players if listed in ops.txt with non-lowercase letters\n### Impact\nOriginally reported in iTXTech/Genisys#1188\n\n```txt\nPotterHarry98\npotterharry98\n```\n\n`deop PotterHarry98`\n\nwill remove `potterharry98` from the ops.txt but not `PotterHarry98`.\n\nOperator permissions are checked using `Config->exists()` with `lowercase=true`, which will result in a match:\nhttps://github.com/pmmp/PocketMine-MP/blob/22bb1ce8e03dba57173debf0415390511d68e045/src/utils/Config.php#L449\n\nThis means that it's possible to make yourself impossible to de-op (using commands) by adding your name to ops.txt with uppercase letters.\n\n### Patches\n4d37b79ff7f9d9452e988387f97919a9a1c4954e\n\n### Workarounds\nThis can be easily addressed by removing the offending lines from ops.txt manually.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [pmmp/PocketMine-MP](https://github.com/pmmp/PocketMine-MP)\n* Email us at [team@pmmp.io](mailto:team@pmmp.io)","references":[{"reference_url":"https://github.com/iTXTech/Genisys/issues/1188","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/iTXTech/Genisys/issues/1188"},{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/blob/4.0.3/changelogs/4.0.md#403","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/blob/4.0.3/changelogs/4.0.md#403"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/4d37b79ff7f9d9452e988387f97919a9a1c4954e","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/4d37b79ff7f9d9452e988387f97919a9a1c4954e"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-j5qg-w9jg-3wg3","reference_id":"","reference_type":"","scores":[{"value":"3.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-j5qg-w9jg-3wg3"},{"reference_url":"https://github.com/advisories/GHSA-j5qg-w9jg-3wg3","reference_id":"GHSA-j5qg-w9jg-3wg3","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-j5qg-w9jg-3wg3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/76809?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.0.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2d6r-as3y-43h9"},{"vulnerability":"VCID-4t87-31wu-3ygb"},{"vulnerability":"VCID-5a2c-344g-4uen"},{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-8bgq-t88m-a7dq"},{"vulnerability":"VCID-8rhq-qv5w-zyfj"},{"vulnerability":"VCID-acwe-9my2-xuef"},{"vulnerability":"VCID-c2yy-ttxx-z7ah"},{"vulnerability":"VCID-cn29-6jf2-fqdp"},{"vulnerability":"VCID-cssn-z8xt-afdk"},{"vulnerability":"VCID-e3zr-dpm8-9ybw"},{"vulnerability":"VCID-e4m7-6y9j-57db"},{"vulnerability":"VCID-j7pz-q84v-n7cx"},{"vulnerability":"VCID-ka25-znbz-zuh8"},{"vulnerability":"VCID-qma9-jppx-2bhy"},{"vulnerability":"VCID-qws7-x463-8ffa"},{"vulnerability":"VCID-snq9-y2cc-rqb7"},{"vulnerability":"VCID-u5tq-6cvu-bygb"},{"vulnerability":"VCID-vfsu-u58e-x7aw"},{"vulnerability":"VCID-wf67-p6fh-hkcu"},{"vulnerability":"VCID-xb13-r3tg-qkgc"},{"vulnerability":"VCID-zf3w-3xh6-bqa1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.0.3"}],"aliases":["GHSA-j5qg-w9jg-3wg3","GMS-2021-54"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kbsa-tavc-hbf3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38812?format=json","vulnerability_id":"VCID-qma9-jppx-2bhy","summary":"PocketMine-MP vulnerable to server crash with certain invalid JSON payloads in `LoginPacket` due to vulnerable dependency\n### Impact\nAn attacker could crash PocketMine-MP by sending malformed JSON in `LoginPacket`.\n\nThis happened due to a bug in [`netresearch/jsonmapper`](https://github.com/cweiske/JsonMapper). The library wasn't doing proper checks when mapping JSON arrays and objects onto scalar model properties such as strings.\n\n### Patches\nThe problem was fixed in a fork of JsonMapper in dktapps/JsonMapper@a31902a31f5b6fdb832f57c0e3a3f16a3b41c012. PocketMine-MP releases 4.20.5 and 4.21.1 have been released with the fix.\n\n### Workarounds\n- Users of PocketMine-MP source installations may manually install the patched version of JsonMapper by backporting commit pmmp/PocketMine-MP@09668a37d66c6023685a948b7550c918620e98f2.\n- A plugin may also be able to workaround this issue by using `DataPacketReceiveEvent` to attempt detection of suspicious payloads. An `ErrorException` will be thrown in the crash case, which can be caught by plugins.\n\n### References\ncweiske/jsonmapper#210","references":[{"reference_url":"https://github.com/cweiske/jsonmapper/pull/210","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cweiske/jsonmapper/pull/210"},{"reference_url":"https://github.com/pmmp/netresearch-jsonmapper/commit/a31902a31f5b6fdb832f57c0e3a3f16a3b41c012","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/netresearch-jsonmapper/commit/a31902a31f5b6fdb832f57c0e3a3f16a3b41c012"},{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/09668a37d66c6023685a948b7550c918620e98f2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/09668a37d66c6023685a948b7550c918620e98f2"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-pqp3-8rrw-g8vm","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-pqp3-8rrw-g8vm"},{"reference_url":"https://github.com/advisories/GHSA-pqp3-8rrw-g8vm","reference_id":"GHSA-pqp3-8rrw-g8vm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-pqp3-8rrw-g8vm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72098?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.20.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2d6r-as3y-43h9"},{"vulnerability":"VCID-4t87-31wu-3ygb"},{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-8rhq-qv5w-zyfj"},{"vulnerability":"VCID-acwe-9my2-xuef"},{"vulnerability":"VCID-cssn-z8xt-afdk"},{"vulnerability":"VCID-ka25-znbz-zuh8"},{"vulnerability":"VCID-u5tq-6cvu-bygb"},{"vulnerability":"VCID-wf67-p6fh-hkcu"},{"vulnerability":"VCID-zf3w-3xh6-bqa1"},{"vulnerability":"VCID-zqkd-5na3-qkf3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.20.5"},{"url":"http://public2.vulnerablecode.io/api/packages/72099?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.21.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2d6r-as3y-43h9"},{"vulnerability":"VCID-4t87-31wu-3ygb"},{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-8rhq-qv5w-zyfj"},{"vulnerability":"VCID-acwe-9my2-xuef"},{"vulnerability":"VCID-cssn-z8xt-afdk"},{"vulnerability":"VCID-ka25-znbz-zuh8"},{"vulnerability":"VCID-u5tq-6cvu-bygb"},{"vulnerability":"VCID-wf67-p6fh-hkcu"},{"vulnerability":"VCID-zf3w-3xh6-bqa1"},{"vulnerability":"VCID-zqkd-5na3-qkf3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.21.1"}],"aliases":["GHSA-pqp3-8rrw-g8vm","GMS-2023-1798"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qma9-jppx-2bhy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57156?format=json","vulnerability_id":"VCID-qws7-x463-8ffa","summary":"Denial-of-service vulnerability processing large chat messages containing many newlines\n### Impact\nPocketMine-MP caps maximum chat message length at 512 Unicode characters, or about 2048 bytes. No more than 2 chat messages may be sent per tick. However, due to legacy reasons, incoming chat message blobs are split by `\\n`, and each part is treated as a separate message, the length of each part is individually checked. The length of the whole message is not checked.\n\nThis leads to an exploitable performance issue, in which a malicious client may send a chat packet of several megabytes containing nothing but `\\n` newline characters. The server will parse this into a very large array and spend a long time (several milliseconds) iterating over it for no reason.\n\nFurthermore, due to the lack of sufficient rate limit checks before parsing messages, malicious clients may bombard the server with many thousands of these malicious messages, causing lockups for a significant amount of time (seconds or minutes).\n\n### Patches\nThis bug was addressed in https://github.com/pmmp/PocketMine-MP/commit/df33e179e5d3ff13b56a2d7060bf592b0f797258 by:\n- checking the length of the incoming message as a whole before parsing it - it may not be larger than `messageCounter * maxChatMessageSize` (`messageCounter` is decremented once for every message sent)\n- limiting the maximum number of times a message may be split on newlines before giving up and discarding the message (maximum 3 parts; anything after the first 2 parts is discarded)\n\n### Workarounds\nHandle `DataPacketReceiveEvent` and check for these excessive newlines in incoming `TextPacket`.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [team@pmmp.io](mailto:team@pmmp.io)","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-gj94-v4p9-w672","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-gj94-v4p9-w672"},{"reference_url":"https://github.com/advisories/GHSA-gj94-v4p9-w672","reference_id":"GHSA-gj94-v4p9-w672","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gj94-v4p9-w672"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/128681?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.2.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2d6r-as3y-43h9"},{"vulnerability":"VCID-4t87-31wu-3ygb"},{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-8bgq-t88m-a7dq"},{"vulnerability":"VCID-8rhq-qv5w-zyfj"},{"vulnerability":"VCID-acwe-9my2-xuef"},{"vulnerability":"VCID-c2yy-ttxx-z7ah"},{"vulnerability":"VCID-cn29-6jf2-fqdp"},{"vulnerability":"VCID-cssn-z8xt-afdk"},{"vulnerability":"VCID-j7pz-q84v-n7cx"},{"vulnerability":"VCID-ka25-znbz-zuh8"},{"vulnerability":"VCID-qma9-jppx-2bhy"},{"vulnerability":"VCID-u5tq-6cvu-bygb"},{"vulnerability":"VCID-wf67-p6fh-hkcu"},{"vulnerability":"VCID-zf3w-3xh6-bqa1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.2.10"}],"aliases":["GHSA-gj94-v4p9-w672"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qws7-x463-8ffa"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49659?format=json","vulnerability_id":"VCID-snq9-y2cc-rqb7","summary":"Uncapped length of skin data fields submitted by players\n### Impact\nSome skin data fields (e.g. skinID, geometryName) are not capped in length. These fields are typically saved in the NBT data of a player when the player quits the server, or during an autosave.\n\nThis is problematic due to the 32767 byte limit on `TAG_String`s. If any of these fields exceeds 32767 bytes, an exception will be thrown during data saving, which will cause the server to crash.\n\nOther fields (such as skinGeometryData) are also uncapped, but those have a much larger 2 GB length limit, so this is not a concern for those, particularly considering the decompressed packet size limit of 2 MB.\n\n### Patches\nPM3: 958a9dbf0fe3131ab60319c5a939f5dfbfe5dfbb\nPM4: 6492cac5c10f9fa8443ceddd2191a7b65b73f601\n\n### Workarounds\nA plugin may check player skins during `PlayerLoginEvent` and `PlayerSkinChangeEvent` and ensure that the offending fields are not larger than 32767 bytes.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [team@pmmp.io](mailto:team@pmmp.io)","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/6492cac5c10f9fa8443ceddd2191a7b65b73f601","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/6492cac5c10f9fa8443ceddd2191a7b65b73f601"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/958a9dbf0fe3131ab60319c5a939f5dfbfe5dfbb","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/958a9dbf0fe3131ab60319c5a939f5dfbfe5dfbb"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-c6fg-99pr-25m9","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-c6fg-99pr-25m9"},{"reference_url":"https://github.com/advisories/GHSA-c6fg-99pr-25m9","reference_id":"GHSA-c6fg-99pr-25m9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c6fg-99pr-25m9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85634?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@3.26.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2d6r-as3y-43h9"},{"vulnerability":"VCID-4t87-31wu-3ygb"},{"vulnerability":"VCID-5a2c-344g-4uen"},{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-8bgq-t88m-a7dq"},{"vulnerability":"VCID-8rhq-qv5w-zyfj"},{"vulnerability":"VCID-acwe-9my2-xuef"},{"vulnerability":"VCID-cn29-6jf2-fqdp"},{"vulnerability":"VCID-cssn-z8xt-afdk"},{"vulnerability":"VCID-e3zr-dpm8-9ybw"},{"vulnerability":"VCID-j7pz-q84v-n7cx"},{"vulnerability":"VCID-ka25-znbz-zuh8"},{"vulnerability":"VCID-qma9-jppx-2bhy"},{"vulnerability":"VCID-qws7-x463-8ffa"},{"vulnerability":"VCID-u17s-xnfv-pfem"},{"vulnerability":"VCID-u5tq-6cvu-bygb"},{"vulnerability":"VCID-vfsu-u58e-x7aw"},{"vulnerability":"VCID-wf67-p6fh-hkcu"},{"vulnerability":"VCID-zf3w-3xh6-bqa1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@3.26.5"},{"url":"http://public2.vulnerablecode.io/api/packages/85635?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2d6r-as3y-43h9"},{"vulnerability":"VCID-4t87-31wu-3ygb"},{"vulnerability":"VCID-5a2c-344g-4uen"},{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-8bgq-t88m-a7dq"},{"vulnerability":"VCID-8rhq-qv5w-zyfj"},{"vulnerability":"VCID-acwe-9my2-xuef"},{"vulnerability":"VCID-c2yy-ttxx-z7ah"},{"vulnerability":"VCID-cn29-6jf2-fqdp"},{"vulnerability":"VCID-cssn-z8xt-afdk"},{"vulnerability":"VCID-e3zr-dpm8-9ybw"},{"vulnerability":"VCID-j7pz-q84v-n7cx"},{"vulnerability":"VCID-ka25-znbz-zuh8"},{"vulnerability":"VCID-qma9-jppx-2bhy"},{"vulnerability":"VCID-qws7-x463-8ffa"},{"vulnerability":"VCID-u5tq-6cvu-bygb"},{"vulnerability":"VCID-vfsu-u58e-x7aw"},{"vulnerability":"VCID-wf67-p6fh-hkcu"},{"vulnerability":"VCID-xb13-r3tg-qkgc"},{"vulnerability":"VCID-zf3w-3xh6-bqa1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.0.5"}],"aliases":["GHSA-c6fg-99pr-25m9","GMS-2022-3"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-snq9-y2cc-rqb7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49753?format=json","vulnerability_id":"VCID-u17s-xnfv-pfem","summary":"Impersonation of other users (passing XBOX Live authentication) by theft of logins in PocketMine-MP\n# Impact\nMinecraft Bedrock authentication and its protocol encryption are inseparably linked. One is not complete without the other.\n\nThis vulnerability affects servers which are able to be directly connected to via the internet (i.e. not behind a proxy).\n\nIf you are using a proxy, please check that it supports protocol encryption and that it is enabled.\n\n# Technical details\n<details>\n<summary>click to expand</summary>\n\n## Basics\n\n1. The client generates a private ECC key `clientPriv` which it uses to complete ECDH for encryption.\n2. A JWT containing the public key `clientPub` corresponding to this key is signed by Microsoft servers with the [Mojang root public key](https://github.com/pmmp/PocketMine-MP/blob/stable/src/network/mcpe/auth/ProcessLoginTask.php#L42) `mojangPub`.\n3. The server verifies that the token was issued by Microsoft servers by verifying the JWT signature with `mojangPub`.\n\n## Why this is a problem\nHowever, this only ensures that the token was issued by Microsoft. It does _not_ ensure that the client actually possesses the private key corresponding to the public key in the token.\nIn a login replay attack, the attacker sends a login captured from another session. This login is valid because it is verifiable by `mojangPub`; however, without encryption, the server doesn't know that the client actually possesses `clientPriv`, and the authenticity of the client cannot be verified.\n\n## How encryption prevents the attack\n\n1. The server calculates a shared secret for encryption using ECDH of `serverPriv` and `clientPub`.\n2. It then signs a return token using `serverPriv` and sends this to the client, along with `serverPub`.\n3. The client then verifies the JWT using `serverPub`, and calculates the same shared secret as the server using `clientPriv` and `serverPub`.\n\nIf the client does not possess `clientPriv` (i.e. because it replayed a stolen login), then the session cannot proceed once encryption is enabled, since the client cannot calculate the shared secret needed to decrypt the server packets and encrypt its own packets.\n\n**Since PM3 does not implement protocol encryption, this means that ALL versions of PM3 are affected by this login stealing attack.**\n\n## How does the attacker capture a login in the first place?\nThe typical way to do this would be to trick a player into joining a server controlled by the attacker. This would allow the attacker to grab the login from the connection and store it for future use.\n\n## Are the logins valid forever?\nNo. All the JWTs have expiry dates after which they cannot be used. These expiry dates are typically 2-3 days after the token was issued by XBOX servers. PocketMine-MP 3.x does verify these expiry dates, so the use-by dates of these attacks are limited.\n\n</details>\n\n# Patches\nThis problem has been fixed in all 4.x versions by implementing Minecraft protocol encryption.\n\n~This has not yet been addressed on 3.x, but since this vulnerability is already public knowledge, the advisory has been released early to make sure people are aware of it and the mitigation steps they can take.~\n\nUpdate 2022-01-22: This has been fixed on 3.x by d28be4eaf24a890f7ef110a51181a3d806a6acca.\n\n# Workarounds\n- Use a proxy that supports encryption such as [gophertunnel](https://github.com/Sandertv/gophertunnel) between your server and players. Make sure that the server only accepts connections from the proxy. If the proxy is on the same machine as the server, you can use `server-ip=127.0.0.1` to ensure that only the proxy can create connections for you.\n\nThe following things may help mitigate the problem:\n- Verify that the `LoginPacket` `serverAddress` field is the same as the server's exposed domain name. For example: https://github.com/JustTalDevelops/AntiLoginForger\n**WARNING: THIS DOES NOT SOLVE THE ROOT ISSUE. YOU WILL REMAIN VULNERABLE UNLESS YOU UPGRADE.**\n\n# For more information\nIf you have any questions or comments about this advisory:\n* Email us at [team@pmmp.io](mailto:team@pmmp.io)","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/issues/4580","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/issues/4580"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h79x-98r2-g6qc","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h79x-98r2-g6qc"},{"reference_url":"https://github.com/advisories/GHSA-h79x-98r2-g6qc","reference_id":"GHSA-h79x-98r2-g6qc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h79x-98r2-g6qc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85728?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2d6r-as3y-43h9"},{"vulnerability":"VCID-4t87-31wu-3ygb"},{"vulnerability":"VCID-5a2c-344g-4uen"},{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-8bgq-t88m-a7dq"},{"vulnerability":"VCID-8rhq-qv5w-zyfj"},{"vulnerability":"VCID-acwe-9my2-xuef"},{"vulnerability":"VCID-c2yy-ttxx-z7ah"},{"vulnerability":"VCID-cn29-6jf2-fqdp"},{"vulnerability":"VCID-cssn-z8xt-afdk"},{"vulnerability":"VCID-e3zr-dpm8-9ybw"},{"vulnerability":"VCID-e4m7-6y9j-57db"},{"vulnerability":"VCID-j7pz-q84v-n7cx"},{"vulnerability":"VCID-ka25-znbz-zuh8"},{"vulnerability":"VCID-kbsa-tavc-hbf3"},{"vulnerability":"VCID-qma9-jppx-2bhy"},{"vulnerability":"VCID-qws7-x463-8ffa"},{"vulnerability":"VCID-snq9-y2cc-rqb7"},{"vulnerability":"VCID-u5tq-6cvu-bygb"},{"vulnerability":"VCID-vfsu-u58e-x7aw"},{"vulnerability":"VCID-wf67-p6fh-hkcu"},{"vulnerability":"VCID-xb13-r3tg-qkgc"},{"vulnerability":"VCID-zf3w-3xh6-bqa1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.0.0"}],"aliases":["GHSA-h79x-98r2-g6qc","GMS-2022-25"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u17s-xnfv-pfem"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35692?format=json","vulnerability_id":"VCID-u5tq-6cvu-bygb","summary":"PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (again)\n### Impact\nAn attacker could crash PocketMine-MP by sending malformed JSON in `LoginPacket`.\n\nThis happened due to the particular handling of NULL types in the json mapper which accepts NULL type values in typed arrays which PocketMine-MP did not expect.\n\n Code processing arrays in the JSON data could then crash due to unexpected `NULL` elements.\n\n### Patches\nThis problem was fixed in 5.3.1 and 4.23.1 by updating JsonMapper to include the following commit: pmmp/netresearch-jsonmapper@4f90e8dab1c9df331fad7d3d89823404e882668c\n\nAn upstream patch for this issue was proposed via https://github.com/cweiske/jsonmapper/pull/211; however, as of 2024-05-15, the patch has not been accepted upstream due to debate about how to deal with the behavior. For now, a fork of JsonMapper is used by PocketMine-MP to workaround the issue.\n\n### Workarounds\nA plugin may handle `DataPacketReceiveEvent` for `LoginPacket` and check that none of the input arrays contain `NULL` where it's not expected, but this is rather cumbersome.\n\n### References\nProposed upstream patch for a behavior change: https://github.com/cweiske/jsonmapper/pull/211","references":[{"reference_url":"https://github.com/pmmp/netresearch-jsonmapper/commit/4f90e8dab1c9df331fad7d3d89823404e882668c","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/netresearch-jsonmapper/commit/4f90e8dab1c9df331fad7d3d89823404e882668c"},{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-92jh-gwch-jq38","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-92jh-gwch-jq38"},{"reference_url":"https://github.com/advisories/GHSA-92jh-gwch-jq38","reference_id":"GHSA-92jh-gwch-jq38","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-92jh-gwch-jq38"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/67922?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.23.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2d6r-as3y-43h9"},{"vulnerability":"VCID-4t87-31wu-3ygb"},{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-8rhq-qv5w-zyfj"},{"vulnerability":"VCID-acwe-9my2-xuef"},{"vulnerability":"VCID-cssn-z8xt-afdk"},{"vulnerability":"VCID-ka25-znbz-zuh8"},{"vulnerability":"VCID-wf67-p6fh-hkcu"},{"vulnerability":"VCID-zf3w-3xh6-bqa1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.23.1"},{"url":"http://public2.vulnerablecode.io/api/packages/67921?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@5.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2d6r-as3y-43h9"},{"vulnerability":"VCID-4t87-31wu-3ygb"},{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-8rhq-qv5w-zyfj"},{"vulnerability":"VCID-acwe-9my2-xuef"},{"vulnerability":"VCID-cssn-z8xt-afdk"},{"vulnerability":"VCID-ka25-znbz-zuh8"},{"vulnerability":"VCID-wf67-p6fh-hkcu"},{"vulnerability":"VCID-zf3w-3xh6-bqa1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@5.3.1"}],"aliases":["GHSA-92jh-gwch-jq38","GMS-2023-2249"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u5tq-6cvu-bygb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51616?format=json","vulnerability_id":"VCID-vfsu-u58e-x7aw","summary":"Improperly checked metadata on tools/armour itemstacks received from the client\n### Impact\nDue to a workaround applied in 1.13, an attacker may send a negative damage/meta value in a tool or armour item's NBT, which `TypeConverter` then blindly uses as if it was valid without being checked.\n\nWhen this invalid metadata value reaches `Durable->setDamage()`, an exception is thrown because the metadata is not within the expected range for damage values.\n\nThis can be reproduced with either a too-large damage value, or a negative one.\n\n### Patches\nc8e1cfcbee4945fd4b63d2a7e96025c59744d4f1\n\n### Workarounds\nIn theory this can be checked by plugins using a custom `TypeConverter`, but this is likely to be very cumbersome.\n\n### For more information\n* Email us at [team@pmmp.io](mailto:team@pmmp.io)","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/c8e1cfcbee4945fd4b63d2a7e96025c59744d4f1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/c8e1cfcbee4945fd4b63d2a7e96025c59744d4f1"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-46c5-pfj8-fv65","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-46c5-pfj8-fv65"},{"reference_url":"https://github.com/advisories/GHSA-46c5-pfj8-fv65","reference_id":"GHSA-46c5-pfj8-fv65","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-46c5-pfj8-fv65"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/87934?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@4.2.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2d6r-as3y-43h9"},{"vulnerability":"VCID-4t87-31wu-3ygb"},{"vulnerability":"VCID-5a2c-344g-4uen"},{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-8bgq-t88m-a7dq"},{"vulnerability":"VCID-8rhq-qv5w-zyfj"},{"vulnerability":"VCID-acwe-9my2-xuef"},{"vulnerability":"VCID-c2yy-ttxx-z7ah"},{"vulnerability":"VCID-cn29-6jf2-fqdp"},{"vulnerability":"VCID-cssn-z8xt-afdk"},{"vulnerability":"VCID-j7pz-q84v-n7cx"},{"vulnerability":"VCID-ka25-znbz-zuh8"},{"vulnerability":"VCID-qma9-jppx-2bhy"},{"vulnerability":"VCID-qws7-x463-8ffa"},{"vulnerability":"VCID-u5tq-6cvu-bygb"},{"vulnerability":"VCID-wf67-p6fh-hkcu"},{"vulnerability":"VCID-zf3w-3xh6-bqa1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@4.2.4"}],"aliases":["GHSA-46c5-pfj8-fv65","GMS-2022-458"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vfsu-u58e-x7aw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/31985?format=json","vulnerability_id":"VCID-wf67-p6fh-hkcu","summary":"PocketMine-MP allows malicious client data to waste server resources due to lack of limits for explode()\n### Impact\nDue to lack of limits by default in the [`explode()`](https://www.php.net/manual/en/function.explode.php) function, malicious clients were able to abuse some packets to waste server CPU and memory.\n\nThis is similar to a previous security issue published in https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-gj94-v4p9-w672, but with a wider impact, including but not limited to:\n\n- Sign editing\n- LoginPacket JWT parsing\n- Command parsing\n\nHowever, the estimated impact of these issues is low, due to other limits such as the packet decompression limit.\n\n### Patches\nThe issue was fixed in 5.25.2 via d0d84d4c5195fb0a68ea7725424fda63b85cd831.\n\nA custom PHPStan rule has also been introduced to the project, which will henceforth require that all calls to `explode()` within the codebase must specify the `limit` parameter.\n\n### Workarounds\nNo simple way to fix this.\nGiven that sign editing is the easiest way this could be exploited, workarounds could include plugins pre-processing `BlockActorDataPacket` to check that the incoming text doesn't have more than 4 parts when split by `\\n`.","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/d0d84d4c5195fb0a68ea7725424fda63b85cd831","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/d0d84d4c5195fb0a68ea7725424fda63b85cd831"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-g274-c6jj-h78p","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-g274-c6jj-h78p"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-gj94-v4p9-w672","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-gj94-v4p9-w672"},{"reference_url":"https://github.com/advisories/GHSA-g274-c6jj-h78p","reference_id":"GHSA-g274-c6jj-h78p","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-g274-c6jj-h78p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64853?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@5.25.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-8rhq-qv5w-zyfj"},{"vulnerability":"VCID-acwe-9my2-xuef"},{"vulnerability":"VCID-cssn-z8xt-afdk"},{"vulnerability":"VCID-ka25-znbz-zuh8"},{"vulnerability":"VCID-zf3w-3xh6-bqa1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@5.25.2"}],"aliases":["GHSA-g274-c6jj-h78p"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wf67-p6fh-hkcu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/28824?format=json","vulnerability_id":"VCID-zf3w-3xh6-bqa1","summary":"PocketMine-MP `ResourcePackDataInfoPacket` amplification vulnerability due to lack of resource pack sequence status checking\n### Summary\n\nA denial-of-service / out-of-memory vulnerability exists in the `STATUS_SEND_PACKS` handling of `ResourcePackClientResponsePacket`.\nPocketMine-MP processes the `packIds` array without verifying that all entries are unique.\nA malicious (non-standard) Bedrock client can send multiple duplicate valid pack UUIDs in the same `STATUS_SEND_PACKS` packet, causing the server to send the same pack multiple times. This can quickly exhaust memory and crash the server.\nSeverity: **High** — Remote DoS from an authenticated client.\n\n---\n\n### Details\n\nRelevant code (simplified):\n\n```php\ncase ResourcePackClientResponsePacket::STATUS_SEND_PACKS:\n    foreach($packet->packIds as $uuid){\n        $splitPos = strpos($uuid, \"_\");\n        if($splitPos !== false){\n            $uuid = substr($uuid, 0, $splitPos);\n        }\n        $pack = $this->getPackById($uuid);\n        if(!($pack instanceof ResourcePack)){\n            $this->disconnectWithError(\"Unknown pack $uuid requested...\");\n            return false;\n        }\n        $this->session->sendDataPacket(ResourcePackDataInfoPacket::create(\n            $pack->getPackId(),\n            self::PACK_CHUNK_SIZE,\n            (int) ceil($pack->getPackSize() / self::PACK_CHUNK_SIZE),\n            $pack->getPackSize(),\n            $pack->getSha256(),\n            false,\n            ResourcePackType::RESOURCES\n        ));\n    }\n    break;\n```\n\n**Root cause:**\n\n* The `packIds` array is taken directly from the client packet and processed as-is.\n* There is no check to ensure that all requested packs are unique.\n* A malicious client can craft a `STATUS_SEND_PACKS` packet with many duplicates of a valid UUID.\n* Each duplicate results in the server re-sending the same pack, consuming additional memory.\n\n**Why this is unexpected:**\n\n* Mojang's official clients never send duplicates in `packIds`.\n* PocketMine assumes the client is well-behaved, but an attacker can bypass this with a custom client.\n\n---\n\n**Suggested fix:**\nBefore sending packs:\n\n1. Remove duplicates from the incoming `packIds` array.\n2. If the difference between the original count and unique count exceeds a small threshold (e.g. > 2 duplicates), immediately disconnect the client with an error.\n3. Track which packs have already been sent to this player, and skip any that have already been transferred.\n\n```php\n$alreadySent = $this->packsSent ?? [];\n\n// Remove duplicates\n$uniquePackIds = array_unique($packet->packIds);\n\n// Detect abuse\nif(count($packet->packIds) - count($uniquePackIds) > 2){\n    $this->disconnectWithError(\"Too many duplicate resource pack requests\");\n    return false;\n}\n\nforeach($uniquePackIds as $uuid){\n    if(in_array($uuid, $alreadySent, true)){\n        continue; // Skip packs already sent to this player\n    }\n    // existing code...\n    $alreadySent[] = $uuid;\n}\n\n$this->packsSent = $alreadySent;\n```\n\n---\n\n### PoC\n\n1. Join a PocketMine-MP server with at least one resource pack enabled.\n2. Using a custom Bedrock client, send a `ResourcePackClientResponsePacket` with:\n\n   * `status = STATUS_SEND_PACKS`\n   * `packIds` = many duplicates of a known valid pack UUID.\n\nExample Node.js PoC (requires `bedrock-protocol` and a valid `PACK_UUID`):\n\n```js\nimport { createClient } from 'bedrock-protocol';\n\nconst host = '127.0.0.1';\nconst port = 19132;\nconst username = 'test';\nconst PACK_UUID = '00000000-0000-0000-0000-000000000000'; // replace with a real UUID\nconst DUPLICATES = 1000;\n\nconst client = createClient({\n    host,\n    port,\n    username,\n    offline: true\n});\n\nclient.on('spawn', () => {\n    console.log('[*] Sending duplicate pack request...');\n    client.queue('resource_pack_client_response', {\n        response_status: 'send_packs',\n        resourcepackids: Array(DUPLICATES).fill(PACK_UUID)\n    });\n});\n```\n\n---\n\n### Impact\n\n* **Type:** Remote Denial of Service / Memory Exhaustion\n* **Who is impacted:** Any PocketMine-MP server with resource packs enabled\n* **Requirements:** Attacker must connect to the server (authenticated player)\n* **Effect:** Server memory rapidly increases, leading to freeze or crash","references":[{"reference_url":"https://github.com/pmmp/PocketMine-MP","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/c417ecd30d20520227b15e09eda87db492ab0a6a","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/c417ecd30d20520227b15e09eda87db492ab0a6a"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/commit/e375437439df51f7862b6b98318394643fcd6724","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/commit/e375437439df51f7862b6b98318394643fcd6724"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/releases/tag/5.32.1","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/releases/tag/5.32.1"},{"reference_url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-fqqv-56h5-f57g","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-fqqv-56h5-f57g"},{"reference_url":"https://github.com/advisories/GHSA-fqqv-56h5-f57g","reference_id":"GHSA-fqqv-56h5-f57g","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-fqqv-56h5-f57g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/62284?format=json","purl":"pkg:composer/pocketmine/pocketmine-mp@5.32.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6hed-1yz7-77eb"},{"vulnerability":"VCID-8rhq-qv5w-zyfj"},{"vulnerability":"VCID-acwe-9my2-xuef"},{"vulnerability":"VCID-cssn-z8xt-afdk"},{"vulnerability":"VCID-ka25-znbz-zuh8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@5.32.1"}],"aliases":["GHSA-fqqv-56h5-f57g"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zf3w-3xh6-bqa1"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/pocketmine/pocketmine-mp@3.8.7"}