Denial Of Service (DoS)

pocketmine/pocketmine-mp is vulnerable to Denial Of Service DoS. The vulnerability exists due to missing rate-limits which allows an attacker to consume resources via mismatched type of a InventoryTransactionPacket which results in an application crash...

PocketMine MP vulnerable to uncontrolled resource consumption via mismatched type of 'InventoryTransactionPacket'

Impact A "mismatch" type InventoryTransactionPacket is sent by the client to request a resync of all currently open inventories. Since PocketMine-MP does not rate-limit these "mismatch" transactions, and the syncing of inventories is not deferred until, e.g. the end of the current tick, they can ...

GHSA-42QM-8V8M-M78C PocketMine MP vulnerable to uncontrolled resource consumption via mismatched type of 'InventoryTransactionPacket'

Impact A "mismatch" type InventoryTransactionPacket is sent by the client to request a resync of all currently open inventories. Since PocketMine-MP does not rate-limit these "mismatch" transactions, and the syncing of inventories is not deferred until, e.g. the end of the current tick, they can ...

PT-2023-32972 · Unknown · Pocketmine-Mp

Name of the Vulnerable Software and Affected Versions: PocketMine-MP versions prior to 4.18.0-ALPHA2 Description: The issue arises from the client sending a "mismatch" type InventoryTransactionPacket to request a resync of all currently open inventories. Since PocketMine-MP does not rate-limit...

Insufficient type validation in pocketmine/pocketmine-mp

Impact When an inventory interaction is performed e.g. moving an item around an inventory, the client sends a serialized version of the itemstack to the server, which the server then deserializes and compares against its own copy. If the copies don't match, the transaction is invalid. This involv...

GHSA-G5RR-P69H-7V3G Insufficient type validation in pocketmine/pocketmine-mp

Impact When an inventory interaction is performed e.g. moving an item around an inventory, the client sends a serialized version of the itemstack to the server, which the server then deserializes and compares against its own copy. If the copies don't match, the transaction is invalid. This involv...

Unchecked validity of Facing values in PlayerActionPacket

Impact A remote attacker may crash a server by sending PlayerActionPacket with invalid facing values e.g. negative, specifically with STARTBREAK or CRACKBLOCK actions, or with a UseItemTransactionData typically in InventoryTransactionPacket. Patches f126479c37ff00a717a828f5271cf8e821d12d6c...

GHSA-XH99-HW7H-WF63 Unchecked validity of Facing values in PlayerActionPacket

Impact A remote attacker may crash a server by sending PlayerActionPacket with invalid facing values e.g. negative, specifically with STARTBREAK or CRACKBLOCK actions, or with a UseItemTransactionData typically in InventoryTransactionPacket. Patches f126479c37ff00a717a828f5271cf8e821d12d6c...

Exploitable inventory component chaining in PocketMine-MP

Impact Specially crafted InventoryTransactionPackets sent by malicious clients were able to exploit the behaviour of InventoryTransaction-findResultItem and cause it to take an abnormally long time to execute causing an apparent server freeze. The affected code is intended to compact conflicting...

GHSA-8JQ6-W5CG-WM45 Exploitable inventory component chaining in PocketMine-MP

Impact Specially crafted InventoryTransactionPackets sent by malicious clients were able to exploit the behaviour of InventoryTransaction-findResultItem and cause it to take an abnormally long time to execute causing an apparent server freeze. The affected code is intended to compact conflicting...