GHSA-g274-c6jj-h78p: PocketMine-MP allows malicious client data to waste server resources due to lack of limits for explode()

March 10, 2025

Due to lack of limits by default in the explode() function, malicious clients were able to abuse some packets to waste server CPU and memory.

This is similar to a previous security issue published in https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-gj94-v4p9-w672, but with a wider impact, including but not limited to:

Sign editing
LoginPacket JWT parsing
Command parsing

However, the estimated impact of these issues is low, due to other limits such as the packet decompression limit.

References

github.com/advisories/GHSA-g274-c6jj-h78p
github.com/pmmp/PocketMine-MP
github.com/pmmp/PocketMine-MP/commit/d0d84d4c5195fb0a68ea7725424fda63b85cd831
github.com/pmmp/PocketMine-MP/security/advisories/GHSA-g274-c6jj-h78p
github.com/pmmp/PocketMine-MP/security/advisories/GHSA-gj94-v4p9-w672

Detect and mitigate GHSA-g274-c6jj-h78p with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →