PocketMine-MP: JSON decoding of unlimited size large arrays/objects in ModalFormResponse Handling

Impact The server does not meaningfully limit the size of the JSON payload in ModalFormResponsePacket. This can be abused by an attacker to waste memory and CPU on an affected server, e.g. by sending arrays with millions of elements. The player must have a full session on the server i.e. spawned ...

Logging of Excessive Data

Overview pocketmine/pocketmine-mp is a highly customisable, open source server software for Minecraft: Bedrock Edition written in PHP Affected versions of this package are vulnerable to Logging of Excessive Data through the processing of unexpected properties in the clientData of the LoginPacket...

CVE-2023-7332 PocketMine-MP < 4.18.1 Improper Validation of Dropped Item Count Allows Remote Server Crash

PocketMine-MP versions prior to 4.18.1 contain an improper input validation vulnerability in inventory transaction handling. A remote attacker with a valid player session can request that the server drop more items than are available in the player's hotbar, triggering a server crash and resulting...

Allocation of Resources Without Limits or Throttling

Overview pocketmine/pocketmine-mp is a highly customisable, open source server software for Minecraft: Bedrock Edition written in PHP Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the explode function. An attacker can occupy excessive...

Denial Of Service (DOS)

pocketmine/pocketmine-mp is vulnerable to Denial Of Service. The vulnerability is due to a lack of bounds checking when accessing inventory slots while calling function BaseInventory-getItem. This leads to an unhandled exception and potentially leads to Denial of service via malformed...

PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (3rd time)

Impact An attacker could crash PocketMine-MP by sending malformed JSON in LoginPacket. netresearch/jsonmapper allows objects to be hydrated from scalar types in JSON. However, due to the lack of validation in the code for this feature, it may output improperly initialized objects if applied to...

GHSA-H6J3-J35F-V2X7 PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (3rd time)

Impact An attacker could crash PocketMine-MP by sending malformed JSON in LoginPacket. netresearch/jsonmapper allows objects to be hydrated from scalar types in JSON. However, due to the lack of validation in the code for this feature, it may output improperly initialized objects if applied to...

PocketMine-MP BookEditPacket crash when inventory slot in the packet is invalid

Summary If a client sends a BookEditPacket with InventorySlot greater than 35, the server will crash due to an unhandled exception thrown by BaseInventory-getItem. Details Crashes at...

GHSA-XC7J-WJ36-QJFR PocketMine-MP BookEditPacket crash when inventory slot in the packet is invalid

Summary If a client sends a BookEditPacket with InventorySlot greater than 35, the server will crash due to an unhandled exception thrown by BaseInventory-getItem. Details Crashes at...

PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (again)

Impact An attacker could crash PocketMine-MP by sending malformed JSON in LoginPacket. This happened due to the particular handling of NULL types in the json mapper which accepts NULL type values in typed arrays which PocketMine-MP did not expect. Code processing arrays in the JSON data could the...

GHSA-79RC-JJH6-RC89 PocketMine-MP server crash due to incorrect EC curve used for LoginPacket identityPublicKey

Impact The server uses ECDH to calculate a shared secret for the symmetric encryption key used to encrypt network packets after logging in. ECDH requires that the keys used must both belong to the same elliptic curve. In Minecraft: Bedrock Edition, the curve used is secp384r1. Using any other cur...

Denial Of Service (DoS)

pocketmine/pocketmine-mp is vulnerable to Denial Of Service DoS. The vulnerability exists in due to the netresearch/jsonmapper dependency due to improper mappings of JSON arrays and objects onto scalar model properties which allows an attacker to send malformed JWT JSON in the LoginPacket causing...

Denial Of Service (DoS)

pocketmine/pocketmine-mp is vulnerable to Denial Of Service DoS. The vulnerability exists due to improperly checked dropped item count which allows players to request that the server drop more of an item than they had available in their hotbar causing an application crash...

Denial Of Service (DoS)

pocketmine/pocketmine-mp is vulnerable to Denial Of Service DoS. The vulnerability exists due to missing rate-limits which allows an attacker to consume resources via mismatched type of a InventoryTransactionPacket which results in an application crash...

PocketMine-MP vulnerable to server crash using badly formatted sign NBT in BlockActorDataPacket

Summary A player sending a packet can cause the server to crash by providing incorrect sign data in NBT in BlockActorDataPacket. Details This vulnerability was discovered using the BlockActorDataPacket, but other packets may also be affected. The player would seem to just need to send an NBT with...

GHSA-7WRV-6H42-W54F PocketMine-MP vulnerable to server crash using badly formatted sign NBT in BlockActorDataPacket

Summary A player sending a packet can cause the server to crash by providing incorrect sign data in NBT in BlockActorDataPacket. Details This vulnerability was discovered using the BlockActorDataPacket, but other packets may also be affected. The player would seem to just need to send an NBT with...

PocketMine-MP vulnerable to improperly checked dropped item count leading to server crash

Impact In 4.18.0, the network handling of inventories was completely revamped. Due to this, a bug was introduced which allowed players to request that the server drop more of an item than they had available in their hotbar. This did not lead to any duplication issues, but instead led to a server...

GHSA-H87R-F4VC-MCHV PocketMine-MP vulnerable to improperly checked dropped item count leading to server crash

Impact In 4.18.0, the network handling of inventories was completely revamped. Due to this, a bug was introduced which allowed players to request that the server drop more of an item than they had available in their hotbar. This did not lead to any duplication issues, but instead led to a server...

PocketMine-MP vulnerable to server crash with certain invalid JSON payloads in `LoginPacket` due to vulnerable dependency

Impact An attacker could crash PocketMine-MP by sending malformed JSON in LoginPacket. This happened due to a bug in netresearch/jsonmapper. The library wasn't doing proper checks when mapping JSON arrays and objects onto scalar model properties such as strings. Patches The problem was fixed in a...

GHSA-PQP3-8RRW-G8VM PocketMine-MP vulnerable to server crash with certain invalid JSON payloads in `LoginPacket` due to vulnerable dependency

Impact An attacker could crash PocketMine-MP by sending malformed JSON in LoginPacket. This happened due to a bug in netresearch/jsonmapper. The library wasn't doing proper checks when mapping JSON arrays and objects onto scalar model properties such as strings. Patches The problem was fixed in a...