GHSA-788v-5pfp-93ff: Denial of Service via Unconstrained JSON Decoding in PocketMine-MP

PocketMine-MP is custom server software for Minecraft: Bedrock Edition, written in PHP. It manages network communications, entity logic, and world state by parsing structured packets sent by connected game clients. One such packet is the ModalFormResponsePacket, which transmits user input from server-rendered UI forms back to the server environment.

A vulnerability exists in the handling of this packet in all PocketMine-MP versions prior to 5.39.2. The server parses the contents of the formData field without enforcing boundaries on the payload size or validating the logical state of the user's session. This lack of validation exposes the server to CWE-400 (Uncontrolled Resource Consumption).

Because the PHP process handles Minecraft packet processing in a single-threaded event loop, any resource-intensive operation blocks the entire server. An authenticated attacker exploits this architectural design by supplying a malicious payload that forces the JSON parser into prolonged execution, resulting in an immediate denial of service.

The flaw originates in InGamePacketHandler::handleModalFormResponse(). When a client transmits a ModalFormResponsePacket, the application extracts the user-controlled formData string and passes it directly to PHP's built-in json_decode() function. The server relies on this function to parse UI form responses into native PHP arrays or objects.

Prior to the patch, the application omitted critical boundary checks. The server performed no validation on the total byte length of the incoming string. Furthermore, the json_decode() call omitted depth restrictions, allowing deeply nested structures to allocate significant memory overhead. PHP's JSON parser consumes memory and CPU cycles proportionally to the size and structural complexity of the input.

Additionally, the server failed to perform stateful validation prior to executing the parser. It did not verify whether the connected player was actively interacting with a UI form matching the provided formId. This allowed attackers to submit unsolicited, oversized payloads directly to the vulnerable decoding logic without traversing any prerequisite game actions.

The vulnerability was resolved through two specific commits. The first commit (cef1088341e40ee7a6fa079bca47a84f3524d877) introduces physical constraints on the incoming formData payload. The maintainers added constants to define maximum payload limits and implemented length validation before the parser executes.

// src/network/mcpe/handler/InGamePacketHandler.php (Patched)
if(strlen($packet->formData) > self::MAX_FORM_RESPONSE_SIZE){
    throw new PacketHandlingException("Form response data too large...");
}
$responseData = json_decode($packet->formData, true, self::MAX_FORM_RESPONSE_DEPTH, JSON_THROW_ON_ERROR);

The implementation restricts MAX_FORM_RESPONSE_SIZE to 10 KiB (10,240 bytes) and sets MAX_FORM_RESPONSE_DEPTH to 2. These parameters mathematically bound the maximum memory footprint that json_decode() can consume, neutralizing the resource exhaustion vector.

The second commit (f983f4f66d5e72d7a07109c8175799ab0ee771d5) introduces stateful verification. The server now checks its internal state to ensure the client is responding to a legitimate, active form prompt.

// src/network/mcpe/handler/InGamePacketHandler.php (Patched)
if(!$this->player->hasPendingForm($packet->formId)){
    $this->session->getLogger()->debug("Got unexpected response for form $packet->formId");
    return false;
}

By validating the existence of a pending formId associated with the specific player session, the server drops unsolicited ModalFormResponsePacket messages early in the pipeline. This combination of stateful validation and bounded parsing completely mitigates the vulnerability class in this packet handler.

Exploitation requires the attacker to possess an active network connection and standard player privileges on the target server. The attacker joins the server utilizing a customized game client or a headless script. Publicly available libraries, such as bedrock-protocol for Node.js, facilitate the construction and transmission of arbitrary Minecraft packets.

The attacker generates a highly oversized JSON payload, such as a 10-megabyte array populated exclusively with zeros. The attacker encapsulates this payload within the formData field of a crafted ModalFormResponsePacket. An arbitrary integer is assigned to the formId field to bypass rudimentary packet structure checks.

// NodeJS PoC using bedrock-protocol
client.write('modal_form_response', {
  formId: 9999,
  formData: '[' + '0,'.repeat(5_000_000) + '0]'
});

The attacker transmits the malicious packet to the server immediately after spawning into the game world. The payload traverses the network layer and enters the vulnerable handleModalFormResponse routing logic.

The server's main thread delegates processing to json_decode(), which begins allocating memory for the millions of array elements. This synchronized operation blocks the event loop until parsing completes or the process exhausts system memory limits.

Successful exploitation guarantees a complete denial of service for the targeted PocketMine-MP instance. Due to the single-threaded nature of the application's core loop, the time spent parsing the oversized JSON structure halts all other server operations. Legitimate packets from other players are queued but remain unprocessed.

Connected players experience an immediate server freeze. In-game entity movement, chat synchronization, and world updates cease functioning. If the PHP process attempts to allocate memory exceeding the administrative memory_limit configuration, the kernel or the PHP runtime forcefully terminates the process.

The vulnerability is tracked with a CVSS v4.0 vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N, resulting in a base score of 7.1. The attack is executable remotely over the network with low complexity. The attacker only requires the basic privileges necessary to join a public or accessible Minecraft server.

The primary remediation strategy requires updating the PocketMine-MP installation to version 5.39.2. This release includes the strict payload sizing constraints and the stateful form validation logic necessary to neutralize the attack vector.

Administrators who cannot immediately apply the patch can employ network-level mitigation strategies. Custom reverse proxies or specialized packet filtering software, such as WaterdogPE or specifically configured BPF filters, can inspect incoming UDP traffic. Administrators can define rules to drop ModalFormResponsePacket payloads that exceed the 10 KiB threshold before they reach the backend server.

From a secure development perspective, this vulnerability highlights the necessity of bounding user input before execution. Application parsers, specifically those handling structural data formats like XML, YAML, or JSON, must operate within strict physical limits (byte size, depth, element count) to prevent asymmetric resource consumption attacks.