GHSA-788v-5pfp-93ff: PocketMine-MP: JSON decoding of unlimited size large arrays/objects in ModalFormResponse Handling

April 6, 2026

The server does not meaningfully limit the size of the JSON payload in ModalFormResponsePacket. This can be abused by an attacker to waste memory and CPU on an affected server, e.g. by sending arrays with millions of elements.

The player must have a full session on the server (i.e. spawned in the world) to exploit this, as form responses are not handled unless the player is in game.

References

github.com/advisories/GHSA-788v-5pfp-93ff
github.com/pmmp/PocketMine-MP
github.com/pmmp/PocketMine-MP/commit/cef1088341e40ee7a6fa079bca47a84f3524d877
github.com/pmmp/PocketMine-MP/commit/f983f4f66d5e72d7a07109c8175799ab0ee771d5
github.com/pmmp/PocketMine-MP/security/advisories/GHSA-788v-5pfp-93ff

Code Behaviors & Features

Detect and mitigate GHSA-788v-5pfp-93ff with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →