DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-XP4F-G2CM-RHG7: GHSA-XP4F-G2CM-RHG7: Log Denial of Service via LoginPacket Resource Exhaustion in PocketMine-MP

#security #cve #cybersecurity #ghsa

GHSA-XP4F-G2CM-RHG7: Log Denial of Service via LoginPacket Resource Exhaustion in PocketMine-MP

Vulnerability ID: GHSA-XP4F-G2CM-RHG7
CVSS Score: 5.0
Published: 2026-04-15

PocketMine-MP suffers from an unauthenticated Log Denial of Service (LogDoS) vulnerability in the LoginPacket processing logic. An attacker can craft a malicious JWT payload with excessive junk properties or send excessively large malformed packets to exhaust CPU, Disk I/O, and storage resources.

TL;DR

Unauthenticated attackers can trigger severe resource exhaustion (CPU and Disk I/O) by spamming junk properties in the LoginPacket JWT, forcing the server to perform unbounded logging.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-400, CWE-770
  • Attack Vector: Network
  • CVSS Score: 5.0 (Medium)
  • Impact: Denial of Service (Resource Exhaustion)
  • Exploit Status: Proof of Concept
  • Authentication: None Required

Affected Systems

  • PocketMine-MP (pocketmine/pocketmine-mp via Packagist)
  • PocketMine-MP: < Patch c1d4a813fb8c21bfd8b9affd040da864b794df71

Code Analysis

Commit: c1d4a81

Fix LogDoS vectors by limiting unexpected JSON property logging and truncating unhandled packet debug logs.

Mitigation Strategies

  • Upgrade PocketMine-MP to a patched release incorporating commit c1d4a813fb8c21bfd8b9affd040da864b794df71.
  • Implement UDP rate limiting on the server's public-facing port to throttle connection attempts.
  • Configure aggressive log rotation and size limits to prevent complete disk space exhaustion.
  • Isolate application logs to a dedicated partition separate from the host OS.

Remediation Steps:

  1. Download the latest PocketMine-MP phar executable released after April 4, 2026.
  2. Stop the PocketMine-MP service.
  3. Replace the vulnerable phar executable with the patched version.
  4. Restart the PocketMine-MP service and verify normal operation.
  5. Monitor application logs for 'Too many unexpected JSON properties' exceptions.

References

Read the full report for GHSA-XP4F-G2CM-RHG7 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)