GHSA-xp4f-g2cm-rhg7: PocketMine-MP has LogDoS by many junk properties in client data JWT in LoginPacket
Attackers can fill the body of the clientData JWT in LoginPacket with lots of junk properties, causing the server to flood warning messages, as well as wasting CPU time.
This happens because the JsonMapper instance used to process the JWT body is configured to warn on unexpected properties instead of rejecting them outright. While this behaviour increases flexibility for random changes introduced by Microsoft, it also creates vulnerabilities if not handled carefully.
This vulnerability affects PocketMine-MP servers exposed to a public network where unknown actors may have access.
References
- github.com/advisories/GHSA-xp4f-g2cm-rhg7
- github.com/pmmp/PocketMine-MP
- github.com/pmmp/PocketMine-MP/blob/5.41.1/src/network/mcpe/handler/LoginPacketHandler.php
- github.com/pmmp/PocketMine-MP/blob/5.41.1/src/network/mcpe/handler/LoginPacketHandler.php
- github.com/pmmp/PocketMine-MP/commit/c1d4a813fb8c21bfd8b9affd040da864b794df71
- github.com/pmmp/PocketMine-MP/security/advisories/GHSA-xp4f-g2cm-rhg7
Code Behaviors & Features
Detect and mitigate GHSA-xp4f-g2cm-rhg7 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →