GHSA-xp4f-g2cm-rhg7

Suggest an improvement
Source
https://github.com/advisories/GHSA-xp4f-g2cm-rhg7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xp4f-g2cm-rhg7/GHSA-xp4f-g2cm-rhg7.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-xp4f-g2cm-rhg7
Published
2026-04-15T19:43:33Z
Modified
2026-04-15T19:49:46.565504Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
PocketMine-MP has LogDoS by many junk properties in client data JWT in LoginPacket
Details

Impact

Attackers can fill the body of the clientData JWT in LoginPacket with lots of junk properties, causing the server to flood warning messages, as well as wasting CPU time.

This happens because the JsonMapper instance used to process the JWT body is configured to warn on unexpected properties instead of rejecting them outright. While this behaviour increases flexibility for random changes introduced by Microsoft, it also creates vulnerabilities if not handled carefully.

This vulnerability affects PocketMine-MP servers exposed to a public network where unknown actors may have access.

Patches

This issue was fixed in c1d4a813fb8c21bfd8b9affd040da864b794df71 by restricting the number of unknown properties to 10, and rejecting the packet if this limit is exceeded. This continues to tolerate random additions to the JWT between versions, while preventing the logger from being abused by clients to slow down the server.

Workarounds

Plugins can handle DataPacketReceiveEvent to capture LoginPacket, and pre-process the clientData JWT to ensure it doesn't have any unusual properties in it. This can be achieved using JsonMapper (see the original affected code below) and setting the bExceptionOnUndefinedProperty flag to true. A JsonMapper_Exception will be thrown if the JWT is problematic.

However, it's important to caveat that this approach may cause login failures if any unexpected properties appear out of the blue in future versions (which has happened in the past).

References

Affected code:

https://github.com/pmmp/PocketMine-MP/blob/5.41.1/src/network/mcpe/handler/LoginPacketHandler.php#L289-L303 https://github.com/pmmp/PocketMine-MP/blob/5.41.1/src/network/mcpe/handler/LoginPacketHandler.php#L334-L350

Database specific 
{
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-779"
    ],
    "nvd_published_at": null,
    "github_reviewed_at": "2026-04-15T19:43:33Z",
    "github_reviewed": true
}
References

Affected packages

Packagist / pocketmine/pocketmine-mp

Package

Name
pocketmine/pocketmine-mp
Purl
pkg:composer/pocketmine/pocketmine-mp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.42.1

Affected versions

3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.4.0
3.4.1
3.4.2
3.4.3
3.5.0
3.5.1
3.5.2
3.5.3
3.5.4
3.5.5
3.5.6
3.5.7
3.5.8
3.5.9
3.5.10
3.5.11
3.5.12
3.5.13
3.6.0
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.7.0
3.7.1
3.7.2
3.7.3
3.8.0
3.8.1
3.8.2
3.8.3
3.8.4
3.8.5
3.8.6
3.8.7
3.9.0
3.9.1
3.9.2
3.9.3
3.9.4
3.9.5
3.9.6
3.9.7
3.9.8
3.10.0
3.10.1
3.11.0
3.11.1
3.11.2
3.11.3
3.11.4
3.11.5
3.11.6
3.11.7
3.12.0
3.12.1
3.12.2
3.12.3
3.12.4
3.12.5
3.12.6
3.13.0
3.13.1
3.14.0
3.14.1
3.14.2
3.14.3
3.15.0
3.15.1
3.15.2
3.15.3
3.15.4
3.16.0
3.16.1
3.17.0
3.17.1
3.17.2
3.17.3
3.17.4
3.17.5
3.17.6
3.17.7
3.18.0
3.18.1
3.18.2
3.19.0
3.19.1
3.19.2
3.19.3
3.20.0
3.21.0
3.21.1
3.22.0
3.22.1
3.22.2
3.22.3
3.22.4
3.22.5
3.23.0
3.23.1
3.24.0
3.25.0
3.25.1
3.25.2
3.25.3
3.25.4
3.25.5
3.25.6
3.26.0
3.26.1
3.26.2
3.26.3
3.26.4
3.26.5
3.27.0
3.28.0
4.*
4.0.0-BETA1
4.0.0-BETA2
4.0.0-BETA3
4.0.0-BETA4
4.0.0-BETA5
4.0.0-BETA6
4.0.0-BETA7
4.0.0-BETA8
4.0.0-BETA9
4.0.0-BETA10
4.0.0-BETA11
4.0.0-BETA12
4.0.0-BETA13
4.0.0-BETA14
4.0.0-BETA15
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.9
4.1.0-BETA1
4.1.0-BETA2
4.1.0
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.2.7
4.2.8
4.2.9
4.2.10
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.4.0-BETA1
4.4.0
4.4.1
4.4.2
4.5.0
4.5.1
4.5.2
4.6.0
4.6.1
4.6.2
4.7.0
4.7.1
4.7.2
4.7.3
4.8.0
4.8.1
4.9.0
4.9.1
4.10.0
4.10.1
4.10.2
4.11.0-BETA1
4.11.0-BETA2
4.11.0
4.12.0
4.12.1
4.12.2
4.12.3
4.12.4
4.12.5
4.12.6
4.12.7
4.12.8
4.12.9
4.12.10
4.12.11
4.13.0-BETA1
4.13.0
4.14.0
4.14.1
4.15.0
4.15.1
4.15.2
4.15.3
4.16.0-BETA1
4.16.0-BETA2
4.16.0
4.17.0
4.17.1
4.17.2
4.18.0-ALPHA1
4.18.0-ALPHA2
4.18.0
4.18.1
4.18.2
4.18.3
4.18.4
4.19.0
4.19.1
4.19.2
4.19.3
4.20.0
4.20.1
4.20.2
4.20.3
4.20.4
4.20.5
4.21.0
4.21.1
4.22.0
4.22.1
4.22.2
4.22.3
4.23.0
4.23.1
4.23.2
4.23.3
4.23.4
4.23.5
4.23.6
4.24.0
4.25.0
4.26.0
5.*
5.0.0-ALPHA1
5.0.0-BETA1
5.0.0-ALPHA2
5.0.0-BETA2
5.0.0-ALPHA3
5.0.0-BETA3
5.0.0-ALPHA4
5.0.0-BETA4
5.0.0-ALPHA5
5.0.0-ALPHA6
5.0.0-ALPHA7
5.0.0-ALPHA8
5.0.0-ALPHA9
5.0.0
5.0.1
5.1.0
5.1.1
5.1.2
5.1.3
5.2.0
5.2.1
5.3.0
5.3.1
5.3.2
5.3.3
5.3.4
5.4.0
5.4.1
5.4.2
5.4.3
5.4.4
5.5.0-BETA1
5.5.0
5.6.0
5.6.1
5.7.0
5.7.1
5.8.1
5.8.2
5.9.0
5.10.0
5.11.0
5.11.1
5.11.2
5.12.0
5.12.1
5.13.0
5.14.0
5.14.1
5.15.0
5.16.0
5.17.0
5.17.1
5.18.0
5.18.1
5.19.0
5.20.0
5.20.1
5.21.0
5.21.1
5.21.2
5.22.0
5.23.0
5.23.1
5.23.2
5.23.3
5.24.0
5.25.0
5.25.1
5.25.2
5.26.0
5.27.0
5.27.1
5.28.0
5.28.1
5.28.2
5.29.0
5.30.0
5.30.1
5.31.0
5.32.0
5.32.1
5.33.0
5.33.1
5.33.2
5.34.0
5.34.1
5.35.0
5.35.1
5.36.0
5.37.0
5.37.1
5.37.2
5.37.3
5.38.0
5.39.0
5.39.1
5.39.2
5.39.3
5.40.0
5.41.0
5.41.1
5.42.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xp4f-g2cm-rhg7/GHSA-xp4f-g2cm-rhg7.json"