GHSA-92jh-gwch-jq38: PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (again)
(updated )
An attacker could crash PocketMine-MP by sending malformed JSON in LoginPacket
.
This happened due to the particular handling of NULL types in the json mapper which accepts NULL type values in typed arrays which PocketMine-MP did not expect.
Code processing arrays in the JSON data could then crash due to unexpected NULL
elements.
References
Detect and mitigate GHSA-92jh-gwch-jq38 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →