GHSA-7m9r-rq9j-wmmh – pocketmine/pocketmine-mp

Package

Manager: composer
Name: pocketmine/pocketmine-mp
Vulnerable Version: >=0 <4.12.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

PocketMine-MP vulnerable to denial-of-service by sending large modal form responses ### Impact Due to a workaround for an old client bug (which has since been fixed), very large JSON payloads in `ModalFormResponsePacket` were able to cause the server to spend a significant amount of time processing the packet. Large numbers of these packets were able to hog CPU time so as to prevent the server from processing other connections in a timely manner. ### Patches The problem has been addressed in 3baa5ab71214f96e6e7ab12cb9beef08118473b5 by removing the workaround code. ### Workarounds Plugins could cancel `DataPacketReceiveEvent` for this packet, decode the data their way, and then call `Player->onFormSubmit()` directly, bypassing the vulnerable code.

Metadata

Created: 2023-01-10T00:41:43Z
Modified: 2023-01-10T00:41:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-7m9r-rq9j-wmmh/GHSA-7m9r-rq9j-wmmh.json
CWE IDs: []
Alternative ID: N/A
Finding: F002
Auto approve: 1