An attacker could crash the server by sending malformed JWT JSON in LoginPacket
due to a security vulnerability in netresearch/jsonmapper
, due to accepting NULL
values in arrays whose types do not expect NULL
.
This problem was fixed in 5.3.1 and 4.23.1 by updating JsonMapper to include the following commit: pmmp/netresearch-jsonmapper@4f90e8dab1c9df331fad7d3d89823404e882668c
A plugin may handle DataPacketReceiveEvent
for LoginPacket
and check that none of the input arrays contain NULL
where it's not expected, but this is rather cumbersome.