GHSA-XP4F-G2CM-RHG7: Log Denial of Service via LoginPacket Resource Exhaustion in PocketMine-MP

PocketMine-MP is a custom server software implementation for Minecraft: Bedrock Edition. It handles incoming client connections over UDP, initiating the connection sequence via a LoginPacket. This initial handshake authenticates the user and processes client-specific configuration data. The packet processing logic executes before the client is fully authenticated, exposing a pre-authentication attack surface.

The vulnerability, identified as GHSA-XP4F-G2CM-RHG7, resides in the handling of the LoginPacket payload. It is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling). Specifically, the flaw manifests as a Log Denial of Service (LogDoS) condition, where an attacker coerces the server into performing excessive logging operations.

By exploiting this vulnerability, an unauthenticated remote attacker can severely degrade server performance. The attack triggers high CPU utilization due to string processing overhead and exhausts storage media IOPS and capacity. This results in the server becoming unresponsive to legitimate player connections, effectively causing a denial of service.

The root cause of this vulnerability involves two distinct unbounded logging vectors during the initial packet processing phase. The first vector originates in the JSON mapping functionality used to decode the clientData JSON Web Token (JWT) located within the LoginPacket. PocketMine-MP uses a JsonMapper to map the JWT payload properties to corresponding PHP object properties.

Before the patch, the application registered a custom handler named warnUndefinedJsonPropertyHandler. This handler executed every time the JsonMapper encountered a JSON property that did not map to a predefined target property. The handler generated a warning log entry for each unmapped property without any rate limiting or thresholding. This required expensive reflection calls (ReflectionClass), string concatenation, and synchronous disk writes.

The second vector involves the fallback error handling within NetworkSession.php. When a packet validation failure triggered a PacketHandlingException, the server logged the entire raw packet buffer. The application base64-encoded this buffer for debugging purposes. Because Minecraft packets can approach maximum network transmission unit sizes, processing a large, intentionally malformed packet forced the server to perform CPU-bound base64 encoding and write large data blocks to the filesystem.

The vulnerable implementation of warnUndefinedJsonPropertyHandler unconditionally called the logger for every unexpected property. If an attacker supplied a JSON object with 50,000 arbitrary key-value pairs, the application generated 50,000 sequential log warnings. The patch implemented in commit c1d4a813fb8c21bfd8b9affd040da864b794df71 resolves this by introducing a static counter within the handler's closure.

The patched code enforces a strict limit of 10 unexpected property warnings per packet processing cycle. As shown in the patch snippet below, the warnUndefinedJsonPropertyHandler increments a static $count variable. If the counter is below 10, the warning is logged normally. Once the counter reaches the threshold, the application throws a PacketHandlingException, abruptly terminating the decoding process.

private function warnUndefinedJsonPropertyHandler(string $context) : \Closure{
    return function(object $object, string $name, mixed $value) use ($context) : void{
        static $count = 0;
        if($count++ < 10){
            $this->session->getLogger()->warning(/* log message */);
        }else{
            throw new PacketHandlingException("$context: Too many unexpected JSON properties");
        }
    };
}

Additionally, the developers mitigated the buffer logging vector in src/network/mcpe/NetworkSession.php. The debug logging routine was extracted into a dedicated method named unhandledPacketDebug. This new method explicitly truncates the base64-encoded buffer string to a maximum of 1024 bytes. It also appends a label to the log output specifying exactly how many bytes were omitted, ensuring administrators retain diagnostic context without exposing the system to arbitrary disk writes.

Exploitation requires no authentication and targets the publicly exposed UDP port used by the PocketMine-MP server. The attacker begins by constructing a valid Minecraft: Bedrock LoginPacket structure. This structure must conform to the base protocol requirements to pass the initial binary parsing phase and reach the JSON decoding logic.

To trigger the primary vector, the attacker manipulates the clientData JWT within the packet. They inject thousands of dynamically generated junk properties into the JSON payload. For example, injecting "junk0001": "val", "junk0002": "val" repeatedly until the payload approaches the maximum acceptable packet size. The attacker recalculates the necessary packet checksums and transmits the payload over UDP.

Alternatively, to exploit the buffer logging vector, the attacker constructs a packet containing a massive buffer filled with random bytes. The packet is specifically designed to fail a secondary validation check, deliberately triggering a PacketHandlingException. Upon receipt, the server attempts to handle the malformed data, resulting in immediate and intensive logging operations.

The consequences of this vulnerability are primarily bounded to resource exhaustion. The logging operations triggered by the malicious packets execute synchronously, blocking the main thread from processing legitimate player actions or incoming connections. The string processing overhead and reflection mechanisms required for the JSON mapping cause immediate and sustained CPU utilization spikes.

Concurrent with the CPU load, the server generates massive volumes of log data. This leads to storage exhaustion and severe Disk I/O latency. High volume synchronous writes will rapidly deplete system IOPS quotas, especially on containerized or virtualized hosting environments with strict resource constraints. The resulting I/O wait times further degrade application responsiveness.

If the log file partition shares storage with the host operating system or other critical services, completely filling the disk can trigger broader system instability. While the vulnerability carries a CVSS score of 5.0 (Medium), the practical impact on availability is significant for server operators. The vulnerability maps directly to MITRE ATT&CK techniques T1499 (Endpoint Denial of Service) and T1499.003 (OS Resource Exhaustion).

The definitive remediation for this vulnerability is applying the vendor-supplied patch. Server operators must upgrade PocketMine-MP to a version incorporating commit c1d4a813fb8c21bfd8b9affd040da864b794df71. This patch, introduced on April 4, 2026, effectively eliminates both unbounded logging vectors by implementing static counters and strict buffer truncation mechanisms.

In environments where immediate patching is not feasible, network-level mitigation strategies are necessary. Operators should implement strict UDP rate-limiting at the firewall edge. Limiting the frequency of incoming connections from individual IP addresses reduces the rate at which an attacker can trigger the resource-intensive logging paths.

System administrators must also implement aggressive log rotation policies. Tools such as logrotate should be configured to archive and compress PocketMine-MP logs frequently, with a hard limit on maximum log directory size. Placing application logs on an isolated storage partition prevents log exhaustion from causing secondary failures in the host operating system.