GHSA-h6rj-3m53-887h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-h6rj-3m53-887h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-h6rj-3m53-887h/GHSA-h6rj-3m53-887h.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-h6rj-3m53-887h
- Published
- 2026-04-06T22:54:03Z
- Modified
- 2026-04-06T23:04:13.904292Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- PocketMine-MP: LogDoS by large complex unknown property logging in clientData in LoginPacket
- Details
-
Impact
Attackers can put large and/or complex structures as a value to an unknown property in the clientData JWT body in the Minecraft
LoginPacket, causing the server to generate very long log messages. Additionally, the property name is logged without any length limitations or sanitization, which can also be abused for LogDoS.This may be used to spam the log/console, waste CPU time serializing the offending structure, and potentially to crash the server entirely.
This happens because the JsonMapper instance used to process the JWT body is configured to warn on unexpected properties instead of rejecting them outright. While this behaviour increases flexibility for random changes introduced by Microsoft, it also creates vulnerabilities if not handled carefully.
This vulnerability affects PocketMine-MP servers exposed to a public network where unknown actors may have access.
PoC
Connect to the server using a custom client.
Send a Minecraft
LoginPacketcontaining an unexpected JSON property (e.g., invalid_key) within the ClientData.Set the value of invalid_key to a highly recursive or massive object structure (e.g., an array containing millions of elements or deeply nested arrays).
The server hits the
warnUndefinedJsonPropertyHandler, which attempts to var_export the malicious object, leading to an Out-of-Memory crash.
A := make([]interface{}, 1) ptr := &A for i := 0; i < 500; i++ { next := make([]interface{}, 1000) (*ptr)[0] = next ptr = &next } data := make([]int, 2000000) for i := 0; i < 100; i++ { data[i] = i } (*ptr)[0] = data d.PlayFabID = APatches
The issue was addressed in https://github.com/pmmp/PocketMine-MP/commit/87d1c0cea09d972fd4c2fafb84dac2ecab7649f0 by removing the relevant
var_exportand limiting the length of the logged property name to 80 characters.Workarounds
Plugins can handle
DataPacketReceiveEventto captureLoginPacket, and pre-process the clientData JWT to ensure it doesn't have any unusual properties in it. This can be achieved usingJsonMapper(see the original affected code below) and setting thebExceptionOnUndefinedPropertyflag totrue. AJsonMapper_Exceptionwill be thrown if the JWT is problematic.However, it's important to caveat that this approach may cause login failures if any unexpected properties appear out of the blue in future versions (which has happened in the past).
- Database specific
{ "nvd_published_at": null, "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-400" ], "github_reviewed_at": "2026-04-06T22:54:03Z" }- References
-
- https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h6rj-3m53-887h
- https://github.com/pmmp/PocketMine-MP/commit/87d1c0cea09d972fd4c2fafb84dac2ecab7649f0
- https://github.com/pmmp/PocketMine-MP
- https://github.com/pmmp/PocketMine-MP/blob/5.41.0/src/network/mcpe/handler/LoginPacketHandler.php#L288-L302
- https://github.com/pmmp/PocketMine-MP/blob/5.41.0/src/network/mcpe/handler/LoginPacketHandler.php#L333-L349
Affected packages
Packagist / pocketmine/pocketmine-mp
Package
- Name
- pocketmine/pocketmine-mp
- Purl
- pkg:composer/pocketmine/pocketmine-mp
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.41.1