GHSA-7hmv-4j2j-pp6f — medium GitHub Advisory in composer/pocketmine/pocketmine-mp

Description

Impact

The server handles ActorEventPacket to trigger consuming animations from vanilla clients when they eat food or drink potions.

This can be abused to make the server spam other clients, and to waste server CPU and memory. For every ActorEventPacket sent by the client, an animation event will be sent to every other player the attacker is visible to.

This is similar to various other vulnerabilities which were fixed in the network overhaul of PM4 (e.g. AnimatePacket and LevelSoundEventPacket), but somehow this one slipped through the net.

Patches

The problem was addressed in aeea1150a772a005b92bd418366f1b7cf1a91ab5 by changing the mechanism for consuming animations to be fully controlled by the server. ActorEventPacket from the client is now discarded.

Workarounds

A plugin could use DataPacketDecodeEvent to rate-limit ActorEventPacket to prevent the attack.

Basic information

Type: reviewed
Severity: medium
Advisory on GitHub: Open advisory ↗
Repository advisory: Open repository advisory ↗
Source code: Browse source ↗
Published (advisory): 2026-04-06 22:54:10 UTC
Updated: 2026-04-06 22:54:10 UTC
GitHub reviewed: 2026-04-06 22:54:10 UTC

CVSS Scores

Base score	Version	Severity	Vector
4.3	3.1	—	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:N) Service keeps running; no real outage angle.

Identifiers

Type	Value
GHSA	GHSA-7hmv-4j2j-pp6f ↗

CWEs

CWE id	Name
CWE-406	Insufficient Control of Network Message Volume (Network Amplification)

Credits

dktapps (remediation_developer)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem	Package	Vulnerable range	First patched	Vulnerable functions
composer	pocketmine/pocketmine-mp	< 5.39.2	5.39.2	—

PocketMine-MP: Network amplification vulnerability with `ActorEventPacket`