GHSA-h6rj-3m53-887h: PocketMine-MP: LogDoS by large complex unknown property logging in clientData in LoginPacket
Attackers can put large and/or complex structures as a value to an unknown property in the clientData JWT body in the Minecraft LoginPacket, causing the server to generate very long log messages.
Additionally, the property name is logged without any length limitations or sanitization, which can also be abused for LogDoS.
This may be used to spam the log/console, waste CPU time serializing the offending structure, and potentially to crash the server entirely.
This happens because the JsonMapper instance used to process the JWT body is configured to warn on unexpected properties instead of rejecting them outright. While this behaviour increases flexibility for random changes introduced by Microsoft, it also creates vulnerabilities if not handled carefully.
This vulnerability affects PocketMine-MP servers exposed to a public network where unknown actors may have access.
References
- github.com/advisories/GHSA-h6rj-3m53-887h
- github.com/pmmp/PocketMine-MP
- github.com/pmmp/PocketMine-MP/blob/5.41.0/src/network/mcpe/handler/LoginPacketHandler.php
- github.com/pmmp/PocketMine-MP/blob/5.41.0/src/network/mcpe/handler/LoginPacketHandler.php
- github.com/pmmp/PocketMine-MP/commit/87d1c0cea09d972fd4c2fafb84dac2ecab7649f0
- github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h6rj-3m53-887h
Code Behaviors & Features
Detect and mitigate GHSA-h6rj-3m53-887h with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →