DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-788V-5PFP-93FF: GHSA-788v-5pfp-93ff: Denial of Service via Unconstrained JSON Decoding in PocketMine-MP

#security #cve #cybersecurity #ghsa

GHSA-788v-5pfp-93ff: Denial of Service via Unconstrained JSON Decoding in PocketMine-MP

Vulnerability ID: GHSA-788V-5PFP-93FF
CVSS Score: 7.1
Published: 2026-04-06

PocketMine-MP, a high-performance PHP-based server for Minecraft: Bedrock Edition, suffers from an uncontrolled resource consumption vulnerability prior to version 5.39.2. The server fails to enforce length or nesting boundaries on JSON payloads within incoming ModalFormResponsePacket messages. An authenticated attacker can transmit oversized payloads to exhaust server memory and CPU resources, causing the application thread to halt and leading to a complete denial of service.

TL;DR

PocketMine-MP lacks payload size and state validation for ModalFormResponsePackets. Attackers can trigger server-wide denial of service by sending unbounded JSON structures.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Class: CWE-400 (Uncontrolled Resource Consumption)
  • Attack Vector: Network (Authenticated)
  • CVSS v4.0 Score: 7.1
  • Impact: Denial of Service (Process Hang/Crash)
  • Exploit Status: Proof of Concept Available
  • Fixed Version: 5.39.2

Affected Systems

  • PocketMine-MP (Minecraft: Bedrock Edition server software)
  • PocketMine-MP: < 5.39.2 (Fixed in: 5.39.2)

Code Analysis

Commit: cef1088

Implement size and depth limitations on incoming JSON payloads during ModalFormResponse handling.

Commit: f983f4f

Add state validation to ensure form responses map to active pending forms.

Exploit Details

  • Research Context: NodeJS Proof of Concept demonstrating payload construction via bedrock-protocol.

Mitigation Strategies

  • Upgrade PocketMine-MP to version 5.39.2 or later.
  • Deploy a Minecraft-aware reverse proxy to filter incoming ModalFormResponsePacket packets exceeding 10 KiB in size.
  • Implement application-level timeouts for the PHP parsing thread if supported by the execution environment.

Remediation Steps:

  1. Identify the current version of PocketMine-MP running on the server.
  2. If the version is prior to 5.39.2, stop the server process.
  3. Update the pocketmine/pocketmine-mp dependency via Composer, or download the latest PHAR build for version 5.39.2.
  4. Restart the server and verify that the updated version is active in the console output.
  5. Monitor server logs for unexpected 'Got unexpected response for form' debug messages, indicating potential exploitation attempts.

References

Read the full report for GHSA-788V-5PFP-93FF on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)