GHSA-pqp3-8rrw-g8vm: PocketMine-MP vulnerable to server crash with certain invalid JSON payloads in `LoginPacket` due to vulnerable dependency
(updated )
An attacker could crash PocketMine-MP by sending malformed JSON in LoginPacket.
This happened due to a bug in netresearch/jsonmapper. The library wasn’t doing proper checks when mapping JSON arrays and objects onto scalar model properties such as strings.
References
- github.com/advisories/GHSA-pqp3-8rrw-g8vm
- github.com/cweiske/jsonmapper/pull/210
- github.com/pmmp/PocketMine-MP
- github.com/pmmp/PocketMine-MP/commit/09668a37d66c6023685a948b7550c918620e98f2
- github.com/pmmp/PocketMine-MP/security/advisories/GHSA-pqp3-8rrw-g8vm
- github.com/pmmp/netresearch-jsonmapper/commit/a31902a31f5b6fdb832f57c0e3a3f16a3b41c012
Detect and mitigate GHSA-pqp3-8rrw-g8vm with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →