An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS03bTlyLXJxOWotd21taM4AAw1h

PocketMine-MP vulnerable to denial-of-service by sending large modal form responses


Due to a workaround for an old client bug (which has since been fixed), very large JSON payloads in ModalFormResponsePacket were able to cause the server to spend a significant amount of time processing the packet. Large numbers of these packets were able to hog CPU time so as to prevent the server from processing other connections in a timely manner.


The problem has been addressed in 3baa5ab71214f96e6e7ab12cb9beef08118473b5 by removing the workaround code.


Plugins could cancel DataPacketReceiveEvent for this packet, decode the data their way, and then call Player->onFormSubmit() directly, bypassing the vulnerable code.

Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 9 months ago
Updated: 9 months ago

CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Identifiers: GHSA-7m9r-rq9j-wmmh

Affected Packages

Versions: < 4.12.5
Fixed in: 4.12.5