GHSA-7wrv-6h42-w54f: PocketMine-MP vulnerable to server crash using badly formatted sign NBT in BlockActorDataPacket

July 14, 2023 (updated December 26, 2025)

A player sending a packet can cause the server to crash by providing incorrect sign data in NBT in BlockActorDataPacket.

References

github.com/advisories/GHSA-7wrv-6h42-w54f
github.com/pmmp/PocketMine-MP
github.com/pmmp/PocketMine-MP/commit/0c250a2ef09627b48aa52302f6cc7e1f2afb70ea
github.com/pmmp/PocketMine-MP/security/advisories/GHSA-7wrv-6h42-w54f

Code Behaviors & Features

Detect and mitigate GHSA-7wrv-6h42-w54f with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →