DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-H6RJ-3M53-887H: GHSA-H6RJ-3M53-887H: Unauthenticated Denial of Service via Log Parsing Recursion in PocketMine-MP

#security #cve #cybersecurity #ghsa

GHSA-H6RJ-3M53-887H: Unauthenticated Denial of Service via Log Parsing Recursion in PocketMine-MP

Vulnerability ID: GHSA-H6RJ-3M53-887H
CVSS Score: 7.5
Published: 2026-04-06

A resource exhaustion vulnerability exists in PocketMine-MP versions prior to 5.41.1. Unauthenticated remote attackers can crash the server by sending a malformed LoginPacket containing deeply nested JSON structures, which triggers a recursive memory allocation loop during log warning generation.

TL;DR

PocketMine-MP before 5.41.1 is vulnerable to an unauthenticated Denial of Service. An attacker can send a customized LoginPacket with unrecognized, highly nested JSON properties, causing the server's logging function to exhaust CPU and memory via recursive serialization.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Denial of Service via Resource Exhaustion
  • CWE ID: CWE-400, CWE-770
  • CVSS v3.1 Score: 7.5 (High)
  • Attack Vector: Network
  • Authentication Required: None
  • Affected Component: LoginPacketHandler (clientData JWT parser)
  • Exploit Availability: PoC logic documented

Affected Systems

  • PocketMine-MP (pocketmine/pocketmine-mp)
  • pocketmine/pocketmine-mp: >= 0.0.0, < 5.41.1 (Fixed in: 5.41.1)

Code Analysis

Commit: 87d1c0c

Fix LogDoS by removing var_export on unknown JSON properties and adding sanitization.

Mitigation Strategies

  • Upgrade PocketMine-MP to version 5.41.1 or later.
  • Implement a custom plugin to hook DataPacketReceiveEvent and drop malformed LoginPackets.
  • Configure a custom JsonMapper instance with bExceptionOnUndefinedProperty set to true to bypass the logging fallback entirely.

Remediation Steps:

  1. Verify the current running version of PocketMine-MP.
  2. Download the patched version 5.41.1 or later from the official repository or Packagist.
  3. Stop the PocketMine-MP server process.
  4. Replace the server core files with the updated version.
  5. Restart the server process and monitor the console for any irregular startup errors.

References

Read the full report for GHSA-H6RJ-3M53-887H on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)