GHSA-g274-c6jj-h78p

Suggest an improvement
Source
https://github.com/advisories/GHSA-g274-c6jj-h78p
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-g274-c6jj-h78p/GHSA-g274-c6jj-h78p.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-g274-c6jj-h78p
Published
2025-03-10T20:29:26Z
Modified
2025-03-10T20:32:18.495760Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
PocketMine-MP allows malicious client data to waste server resources due to lack of limits for explode()
Details

Impact

Due to lack of limits by default in the explode() function, malicious clients were able to abuse some packets to waste server CPU and memory.

This is similar to a previous security issue published in https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-gj94-v4p9-w672, but with a wider impact, including but not limited to:

  • Sign editing
  • LoginPacket JWT parsing
  • Command parsing

However, the estimated impact of these issues is low, due to other limits such as the packet decompression limit.

Patches

The issue was fixed in 5.25.2 via d0d84d4c5195fb0a68ea7725424fda63b85cd831.

A custom PHPStan rule has also been introduced to the project, which will henceforth require that all calls to explode() within the codebase must specify the limit parameter.

Workarounds

No simple way to fix this. Given that sign editing is the easiest way this could be exploited, workarounds could include plugins pre-processing BlockActorDataPacket to check that the incoming text doesn't have more than 4 parts when split by \n.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-770"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-10T20:29:26Z"
}
References

Affected packages

Packagist / pocketmine/pocketmine-mp

Package

Name
pocketmine/pocketmine-mp
Purl
pkg:composer/pocketmine/pocketmine-mp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.25.2

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.4.0
3.4.1
3.4.2
3.4.3
3.5.0
3.5.1
3.5.2
3.5.3
3.5.4
3.5.5
3.5.6
3.5.7
3.5.8
3.5.9
3.5.10
3.5.11
3.5.12
3.5.13
3.6.0
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.7.0
3.7.1
3.7.2
3.7.3
3.8.0
3.8.1
3.8.2
3.8.3
3.8.4
3.8.5
3.8.6
3.8.7
3.9.0
3.9.1
3.9.2
3.9.3
3.9.4
3.9.5
3.9.6
3.9.7
3.9.8
3.10.0
3.10.1
3.11.0
3.11.1
3.11.2
3.11.3
3.11.4
3.11.5
3.11.6
3.11.7
3.12.0
3.12.1
3.12.2
3.12.3
3.12.4
3.12.5
3.12.6
3.13.0
3.13.1
3.14.0
3.14.1
3.14.2
3.14.3
3.15.0
3.15.1
3.15.2
3.15.3
3.15.4
3.16.0
3.16.1
3.17.0
3.17.1
3.17.2
3.17.3
3.17.4
3.17.5
3.17.6
3.17.7
3.18.0
3.18.1
3.18.2
3.19.0
3.19.1
3.19.2
3.19.3
3.20.0
3.21.0
3.21.1
3.22.0
3.22.1
3.22.2
3.22.3
3.22.4
3.22.5
3.23.0
3.23.1
3.24.0
3.25.0
3.25.1
3.25.2
3.25.3
3.25.4
3.25.5
3.25.6
3.26.0
3.26.1
3.26.2
3.26.3
3.26.4
3.26.5
3.27.0
3.28.0

4.*

4.0.0-BETA1
4.0.0-BETA2
4.0.0-BETA3
4.0.0-BETA4
4.0.0-BETA5
4.0.0-BETA6
4.0.0-BETA7
4.0.0-BETA8
4.0.0-BETA9
4.0.0-BETA10
4.0.0-BETA11
4.0.0-BETA12
4.0.0-BETA13
4.0.0-BETA14
4.0.0-BETA15
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.9
4.1.0-BETA1
4.1.0-BETA2
4.1.0
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8
4.2.9
4.2.10
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.4.0-BETA1
4.4.0
4.4.1
4.4.2
4.5.0
4.5.1
4.5.2
4.6.0
4.6.1
4.6.2
4.7.0
4.7.1
4.7.2
4.7.3
4.8.0
4.8.1
4.9.0
4.9.1
4.10.0
4.10.1
4.10.2
4.11.0-BETA1
4.11.0-BETA2
4.11.0
4.12.0
4.12.1
4.12.2
4.12.3
4.12.4
4.12.5
4.12.6
4.12.7
4.12.8
4.12.9
4.12.10
4.12.11
4.13.0-BETA1
4.13.0
4.14.0
4.14.1
4.15.0
4.15.1
4.15.2
4.15.3
4.16.0-BETA1
4.16.0-BETA2
4.16.0
4.17.0
4.17.1
4.17.2
4.18.0-ALPHA1
4.18.0-ALPHA2
4.18.0
4.18.1
4.18.2
4.18.3
4.18.4
4.19.0
4.19.1
4.19.2
4.19.3
4.20.0
4.20.1
4.20.2
4.20.3
4.20.4
4.20.5
4.21.0
4.21.1
4.22.0
4.22.1
4.22.2
4.22.3
4.23.0
4.23.1
4.23.2
4.23.3
4.23.4
4.23.5
4.23.6
4.24.0
4.25.0
4.26.0

5.*

5.0.0-ALPHA1
5.0.0-BETA1
5.0.0-ALPHA2
5.0.0-BETA2
5.0.0-ALPHA3
5.0.0-BETA3
5.0.0-ALPHA4
5.0.0-BETA4
5.0.0-ALPHA5
5.0.0-ALPHA6
5.0.0-ALPHA7
5.0.0-ALPHA8
5.0.0-ALPHA9
5.0.0
5.0.1
5.1.0
5.1.1
5.1.2
5.1.3
5.2.0
5.2.1
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.5.0-BETA1
5.5.0
5.6.0
5.6.1
5.7.0
5.7.1
5.8.1
5.8.2
5.9.0
5.10.0
5.11.0
5.11.1
5.11.2
5.12.0
5.12.1
5.13.0
5.14.0
5.14.1
5.15.0
5.16.0
5.17.0
5.17.1
5.18.0
5.18.1
5.19.0
5.20.0
5.20.1
5.21.0
5.21.1
5.21.2
5.22.0
5.23.0
5.23.1
5.23.2
5.23.3
5.24.0
5.25.0
5.25.1