GMS-2023-2249: PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (again)

September 14, 2023

Impact

An attacker could crash the server by sending malformed JWT JSON in LoginPacket due to a security vulnerability in netresearch/jsonmapper, due to accepting NULL values in arrays whose types do not expect NULL.

Patches

This problem was fixed in 5.3.1 and 4.23.1 by updating JsonMapper to include the following commit: pmmp/netresearch-jsonmapper@4f90e8dab1c9df331fad7d3d89823404e882668c

Workarounds

A plugin may handle DataPacketReceiveEvent for LoginPacket and check that none of the input arrays contain NULL where it’s not expected, but this is rather cumbersome.

References

github.com/advisories/GHSA-92jh-gwch-jq38
github.com/pmmp/PocketMine-MP/security/advisories/GHSA-92jh-gwch-jq38
github.com/pmmp/netresearch-jsonmapper/commit/4f90e8dab1c9df331fad7d3d89823404e882668c

Detect and mitigate GMS-2023-2249 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →