GHSA-92jh-gwch-jq38: PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (again)

September 14, 2023 (updated May 23, 2024)

An attacker could crash PocketMine-MP by sending malformed JSON in LoginPacket.

This happened due to the particular handling of NULL types in the json mapper which accepts NULL type values in typed arrays which PocketMine-MP did not expect.

Code processing arrays in the JSON data could then crash due to unexpected NULL elements.

References

github.com/advisories/GHSA-92jh-gwch-jq38
github.com/pmmp/PocketMine-MP
github.com/pmmp/PocketMine-MP/security/advisories/GHSA-92jh-gwch-jq38
github.com/pmmp/netresearch-jsonmapper/commit/4f90e8dab1c9df331fad7d3d89823404e882668c

Detect and mitigate GHSA-92jh-gwch-jq38 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →