GHSA-H6RJ-3M53-887H: Unauthenticated Denial of Service via Log Parsing Recursion in PocketMine-MP

PocketMine-MP exposes a network interface designed to parse incoming connections from Minecraft clients. The vulnerability resides in the LoginPacket handler, specifically within the JSON Web Token (JWT) processor responsible for extracting clientData.

The flaw represents an unauthenticated resource exhaustion vulnerability, categorized under CWE-400 and CWE-770. It occurs when the server processes unrecognized JSON properties during the initial login sequence before identity verification.

An attacker sends a crafted login request containing anomalous properties. The server consumes excessive CPU cycles and memory attempting to process the data, resulting in an out-of-memory (OOM) crash and a complete denial of service.

The root cause is the improper handling of undefined JSON properties within the LoginPacketHandler. The server utilizes a JsonMapper class configured with a callback named warnUndefinedJsonPropertyHandler to process incoming client payloads.

This callback triggers whenever the parsed clientData JWT contains keys absent from the destination PHP data structures, such as PlayerInfo. The handler generates a warning log containing the unexpected property name and its associated value.

The vulnerability stems directly from the use of the var_export($value, true) function within the logging callback. The var_export function performs deep, recursive serialization to convert complex PHP variables into a string representation suitable for logging.

When the $value variable contains a deeply nested array or an artificially bloated data structure, the recursive traversal operation consumes significant CPU cycles. The resulting string representation allocates extensive memory, causing the application to exceed PHP memory limits and terminate.

The vulnerable implementation in src/network/mcpe/handler/LoginPacketHandler.php passed unvalidated user input to an unbounded serialization function. The warnUndefinedJsonPropertyHandler closure executed var_export on the mixed $value parameter without enforcing depth limits.

The vulnerable code block demonstrates the direct use of the serialization function within the warning log generator:

private function warnUndefinedJsonPropertyHandler(string $context) : \Closure{
	return fn(object $object, string $name, mixed $value) => $this->session->getLogger()->warning(
		"$context: Unexpected JSON property for " . (new \ReflectionClass($object))->getShortName() . ": " . $name . " = " . var_export($value, return: true)
	);
}

The patch applied in commit 87d1c0cea09d972fd4c2fafb84dac2ecab7649f0 resolves the issue by removing the resource-intensive var_export call. The application no longer attempts to serialize the actual values of unknown properties.

Furthermore, the patch introduces input truncation and sanitization on the property $name. The patched code truncates the key to 80 characters and processes it through Utils::printable() to neutralize log injection techniques:

private function warnUndefinedJsonPropertyHandler(string $context) : \Closure{
	return fn(object $object, string $name, mixed $value) => $this->session->getLogger()->warning(
		"$context: Unexpected JSON property for " . (new \ReflectionClass($object))->getShortName() . ": " . Utils::printable(substr($name, 0, 80))
	);
}

Exploitation requires a custom protocol client or scripting framework capable of forging raw network packets. The attacker targets the initial LoginPacket, which the server parses immediately upon connection before validating client identity or initiating application-level rate limits.

The attacker constructs a malformed JWT for the clientData field. This JWT includes a payload containing an arbitrary, unrecognized key to ensure the data bypasses standard object mapping and strictly triggers the warning handler.

The value assigned to this unrecognized key is structured as a heavily nested JSON array. Proof-of-concept exploits utilize simple iteration loops to generate arrays nested hundreds of levels deep, terminating in massive primitive collections.

Upon receiving the packet, the server decodes the JWT and invokes the warnUndefinedJsonPropertyHandler. The synchronous var_export execution hangs the main thread, spiking CPU usage to 100% and rapidly exhausting available system memory until the process is killed.

The primary impact is a severe Denial of Service (DoS) affecting the availability of the target application. A single malicious packet sent by an unauthenticated attacker permanently crashes the server process.

The CVSS v3.1 vector evaluates to 7.5, formulated as CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The network attack vector and lack of authentication prerequisites allow attackers to execute this vulnerability remotely with trivial effort.

Publicly accessible game servers face a high probability of exploitation. Attackers routinely scan network ranges for the default Minecraft protocol port (19132/UDP) to launch automated disruption campaigns against vulnerable game hosts.

The vulnerability does not facilitate arbitrary code execution or permit unauthorized data access. The security impact remains strictly confined to the operational availability of the server.

The primary mitigation is upgrading PocketMine-MP to version 5.41.1 or a subsequent release. This version incorporates the upstream patch, eliminating the var_export call and enforcing size boundaries on logged JSON keys.

Administrators unable to deploy the update immediately can implement temporary workarounds via server plugins. A custom plugin can hook the DataPacketReceiveEvent to inspect incoming LoginPacket payloads before the core application logic processes them.

The custom plugin can extract the clientData JWT and assert the absence of anomalous keys or excessive payload depth. Dropping non-compliant packets at the event layer prevents the malicious data from reaching the vulnerable JsonMapper configuration.

Network filtering provides limited utility as a standalone defense. The target UDP port must remain exposed to accommodate legitimate client connections, rendering traditional IP-based filtering ineffective against anonymous attackers unless strict allowlists are feasible.