DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-7HMV-4J2J-PP6F: GHSA-7HMV-4J2J-PP6F: Network Amplification and Resource Exhaustion in PocketMine-MP

#security #cve #cybersecurity #ghsa

GHSA-7HMV-4J2J-PP6F: Network Amplification and Resource Exhaustion in PocketMine-MP

Vulnerability ID: GHSA-7HMV-4J2J-PP6F
CVSS Score: 4.3
Published: 2026-04-06

PocketMine-MP versions prior to 5.39.2 suffer from a network amplification vulnerability triggered via unvalidated ActorEventPacket messages. Authenticated attackers can exploit this to force the server into O(N) packet broadcasting, resulting in significant CPU and bandwidth exhaustion.

TL;DR

A flaw in PocketMine-MP allows authenticated players to flood the server with eating animation packets. The server blindly broadcasts these to all nearby players, leading to resource exhaustion and potential denial of service. Fixed in 5.39.2.

Technical Details

  • Vulnerability Type: Uncontrolled Resource Consumption (Network Amplification)
  • CWE ID: CWE-400
  • CVSS v3.1 Base Score: 4.3 (Medium)
  • Attack Vector: Network
  • Privileges Required: Low (Authenticated player)
  • Exploit Maturity: None (No public PoC)
  • Affected Component: InGamePacketHandler (ActorEventPacket)

Affected Systems

  • PocketMine-MP Servers
  • pocketmine/pocketmine-mp: < 5.39.2 (Fixed in: 5.39.2)

Code Analysis

Commit: aeea115

Fix commit moving animation truth to the server and ignoring client ActorEventPacket eating triggers.

Modification to src/network/mcpe/handler/InGamePacketHandler.php to return true on handleActorEvent, and Player.php onUpdate to implement throttled broadcastAnimation.
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade PocketMine-MP core to a patched version (5.39.2 or later).
  • Implement application-level rate limiting using a plugin hooking the DataPacketDecodeEvent.
  • Monitor for high frequencies of inbound ActorEventPacket streams per client connection.

Remediation Steps:

  1. Download the latest release of PocketMine-MP (v5.39.2+).
  2. Stop the running server instance gracefully.
  3. Replace the core source files or Phar archive with the updated build.
  4. Restart the server and verify functionality via console.

References

Read the full report for GHSA-7HMV-4J2J-PP6F on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)