GHSA-7hmv-4j2j-pp6f: PocketMine-MP: Network amplification vulnerability with `ActorEventPacket`

April 6, 2026

The server handles ActorEventPacket to trigger consuming animations from vanilla clients when they eat food or drink potions.

This can be abused to make the server spam other clients, and to waste server CPU and memory. For every ActorEventPacket sent by the client, an animation event will be sent to every other player the attacker is visible to.

This is similar to various other vulnerabilities which were fixed in the network overhaul of PM4 (e.g. AnimatePacket and LevelSoundEventPacket), but somehow this one slipped through the net.

References

github.com/advisories/GHSA-7hmv-4j2j-pp6f
github.com/pmmp/PocketMine-MP
github.com/pmmp/PocketMine-MP/commit/aeea1150a772a005b92bd418366f1b7cf1a91ab5
github.com/pmmp/PocketMine-MP/security/advisories/GHSA-7hmv-4j2j-pp6f

Code Behaviors & Features

Detect and mitigate GHSA-7hmv-4j2j-pp6f with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →