An attacker could crash the server by sending malformed JWT JSON in LoginPacket
due to a security vulnerability in netresearch/jsonmapper
, due to improper checking for mapping JSON arrays and objects onto scalar model properties such as strings.
The problem was fixed in a fork of JsonMapper in dktapps/JsonMapper@a31902a31f5b6fdb832f57c0e3a3f16a3b41c012. PocketMine-MP releases 4.20.5 and 4.21.1 have been released with the fix.
DataPacketReceiveEvent
to attempt detection of suspicious payloads. An ErrorException
will be thrown in the crash case, which can be caught by plugins.cweiske/jsonmapper#210