GHSA-xp4f-g2cm-rhg7 — medium GitHub Advisory in composer/pocketmine/pocketmine-mp

Description

Impact

Attackers can fill the body of the clientData JWT in LoginPacket with lots of junk properties, causing the server to flood warning messages, as well as wasting CPU time.

This happens because the JsonMapper instance used to process the JWT body is configured to warn on unexpected properties instead of rejecting them outright. While this behaviour increases flexibility for random changes introduced by Microsoft, it also creates vulnerabilities if not handled carefully.

This vulnerability affects PocketMine-MP servers exposed to a public network where unknown actors may have access.

Patches

This issue was fixed in c1d4a813fb8c21bfd8b9affd040da864b794df71 by restricting the number of unknown properties to 10, and rejecting the packet if this limit is exceeded. This continues to tolerate random additions to the JWT between versions, while preventing the logger from being abused by clients to slow down the server.

Workarounds

Plugins can handle DataPacketReceiveEvent to capture LoginPacket, and pre-process the clientData JWT to ensure it doesn't have any unusual properties in it. This can be achieved using JsonMapper (see the original affected code below) and setting the bExceptionOnUndefinedProperty flag to true. A JsonMapper_Exception will be thrown if the JWT is problematic.

However, it's important to caveat that this approach may cause login failures if any unexpected properties appear out of the blue in future versions (which has happened in the past).

References

Affected code:

https://github.com/pmmp/PocketMine-MP/blob/5.41.1/src/network/mcpe/handler/LoginPacketHandler.php#L289-L303
https://github.com/pmmp/PocketMine-MP/blob/5.41.1/src/network/mcpe/handler/LoginPacketHandler.php#L334-L350

Basic information

Type: reviewed
Severity: medium
Advisory on GitHub: Open advisory ↗
Repository advisory: Open repository advisory ↗
Source code: Browse source ↗
Published (advisory): 2026-04-15 19:43:33 UTC
Updated: 2026-04-15 19:43:34 UTC
GitHub reviewed: 2026-04-15 19:43:33 UTC

CVSS Scores

Base score	Version	Severity	Vector
6.9	4.0	—	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network. Attack complexity (AC:L) Exploitation conditions are straightforward and stable. Attack requirements (AT:N) No additional preconditions are required beyond normal reachability. Privileges required (PR:N) No privileges are required. User interaction (UI:N) No user interaction is required. Vulnerable system confidentiality impact (VC:N) No confidentiality impact on the vulnerable system. Vulnerable system integrity impact (VI:N) No integrity impact on the vulnerable system. Vulnerable system availability impact (VA:L) Limited availability impact on the vulnerable system. Subsequent system confidentiality impact (SC:N) No confidentiality impact on subsequent systems. Subsequent system integrity impact (SI:N) No integrity impact on subsequent systems. Subsequent system availability impact (SA:N) No availability impact on subsequent systems.

Identifiers

Type	Value
GHSA	GHSA-xp4f-g2cm-rhg7 ↗

CWEs

CWE id	Name
CWE-779	Logging of Excessive Data

Credits

DrakzoSurYT (reporter)
dktapps (remediation_developer)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem	Package	Vulnerable range	First patched	Vulnerable functions
composer	pocketmine/pocketmine-mp	< 5.42.1	5.42.1	—