Security Advisories - pocketmine/pocketmine-mp

pocketmine/pocketmine-mp Security Advisories (24)

[MEDIUM] PocketMine-MP allows malicious client data to waste server resources due to lack of limits for explode()

PKSA-1y47-vhgh-zq2y GHSA-g274-c6jj-h78p

Affected version: <5.25.2

Reported by:
GitHub
[HIGH] PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (3rd time)

PKSA-7cft-g1hs-ddc8 GHSA-h6j3-j35f-v2x7

Affected version: <5.11.1

Reported by:
GitHub
[HIGH] PocketMine-MP BookEditPacket crash when inventory slot in the packet is invalid

PKSA-krv9-c6mg-smc2 GHSA-xc7j-wj36-qjfr

Affected version: <5.11.2

Reported by:
GitHub
[HIGH] PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (again)

PKSA-nv2r-zxzd-wzsw GHSA-92jh-gwch-jq38

Affected version: <=4.23.0|>=5.0.0,<=5.3.0

Reported by:
GitHub
[HIGH] PocketMine-MP server crash due to incorrect EC curve used for LoginPacket identityPublicKey

PKSA-1sh5-spwn-dqsp GHSA-79rc-jjh6-rc89

Affected version: >=5.2.0,<5.3.1

Reported by:
GitHub
[HIGH] PocketMine-MP vulnerable to server crash using badly formatted sign NBT in BlockActorDataPacket

PKSA-w66x-n614-p3z6 GHSA-7wrv-6h42-w54f

Affected version: >=5.0.0,<5.2.1|>=4.20.0,<4.22.3

Reported by:
GitHub
[HIGH] PocketMine-MP vulnerable to improperly checked dropped item count leading to server crash

PKSA-rjb4-mbc7-gvrq GHSA-h87r-f4vc-mchv

Affected version: <4.18.1

Reported by:
GitHub
[HIGH] PocketMine-MP vulnerable to server crash with certain invalid JSON payloads in `LoginPacket` due to vulnerable dependency

PKSA-mdrw-7xfy-3575 GHSA-pqp3-8rrw-g8vm

Affected version: >=4.21.0,<4.21.1|<4.20.5

Reported by:
GitHub
[MEDIUM] PocketMine MP vulnerable to uncontrolled resource consumption via mismatched type of 'InventoryTransactionPacket'

PKSA-3mjs-tbmc-n317 GHSA-42qm-8v8m-m78c

Affected version: <4.18.0-ALPHA2

Reported by:
GitHub
[MEDIUM] PocketMine-MP vulnerable to denial-of-service by sending large modal form responses

PKSA-6mdv-sgnk-4jgv GHSA-7m9r-rq9j-wmmh

Affected version: <4.12.5

Reported by:
GitHub
[HIGH] PocketMine-MP has improperly handled dye colour IDs in banner NBT, leading to server crash

PKSA-dy8b-jxh6-kdd2 GHSA-wqqv-jcfr-9f5g

Affected version: <4.8.1

Reported by:
GitHub
[HIGH] PocketMine-MP invalid skin geometry JSON data leading to server crash

PKSA-g2v4-vgph-zkgr GHSA-8cwq-4cmf-px73

Affected version: <4.7.2

Reported by:
GitHub
[HIGH] Improperly checked IDs on itemstacks received from the client leading to server crash in PocketMine-MP

PKSA-kb27-gx3d-wgsn GHSA-fqx3-r75h-vc89

Affected version: >=4.0.0-BETA5,<4.4.2

Reported by:
GitHub
[MEDIUM] Denial-of-service vulnerability processing large chat messages containing many newlines

PKSA-kq9f-6mzv-9z4b GHSA-gj94-v4p9-w672

Affected version: <4.2.10

Reported by:
GitHub
[HIGH] Insufficient type validation in pocketmine/pocketmine-mp

PKSA-8sgq-z2gv-62hz GHSA-g5rr-p69h-7v3g

Affected version: <4.2.9

Reported by:
GitHub
[HIGH] Improperly checked metadata on tools/armour itemstacks received from the client

PKSA-7kfz-3qgv-gptj GHSA-46c5-pfj8-fv65

Affected version: <4.2.4

Reported by:
GitHub
[HIGH] NaN/INF in serverbound movement packets can crash clients and servers

PKSA-cnz3-d6jt-3shh GHSA-fm35-jgg3-3grx

Affected version: <=3.18.0

Reported by:
GitHub
[MEDIUM] Impersonation of other users (passing XBOX Live authentication) by theft of logins in PocketMine-MP

PKSA-6y7g-ysy5-mk9f GHSA-h79x-98r2-g6qc

Affected version: >=3.0.0,<4.0.0

Reported by:
GitHub
[HIGH] Unhandled exception when decoding form response JSON

PKSA-rk71-pq1c-y6tt GHSA-wjfq-88q2-r34j

Affected version: >=4.0.0,<4.0.7

Reported by:
GitHub
[HIGH] Unchecked validity of Facing values in PlayerActionPacket

PKSA-x9kw-xss7-ydqj GHSA-xh99-hw7h-wf63

Affected version: <4.0.6

Reported by:
GitHub
[HIGH] Uncapped length of skin data fields submitted by players

PKSA-kbjw-qcz9-hw4r GHSA-c6fg-99pr-25m9

Affected version: >=4.0.0,<4.0.5|<3.26.5

Reported by:
GitHub
[MEDIUM] Book page text, count, and author/title length is not limited in PocketMine-MP

PKSA-cqgn-qh62-vy4g GHSA-p62j-hrxm-xcxf

Affected version: >=4.0.0,<4.0.5|<3.26.5

Reported by:
GitHub
[LOW] Inability to de-op players if listed in ops.txt with non-lowercase letters

PKSA-j497-g66n-z3zj GHSA-j5qg-w9jg-3wg3

Affected version: <4.0.3

Reported by:
GitHub
[HIGH] Exploitable inventory component chaining in PocketMine-MP

PKSA-69r1-zx55-fghf GHSA-8jq6-w5cg-wm45

Affected version: <3.15.4

Reported by:
GitHub

pocketmine/pocketmine-mp Security Advisories (24)

[MEDIUM] PocketMine-MP allows malicious client data to waste server resources due to lack of limits for explode()

[HIGH] PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (3rd time)

[HIGH] PocketMine-MP BookEditPacket crash when inventory slot in the packet is invalid

[HIGH] PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (again)

[HIGH] PocketMine-MP server crash due to incorrect EC curve used for LoginPacket identityPublicKey

[HIGH] PocketMine-MP vulnerable to server crash using badly formatted sign NBT in BlockActorDataPacket

[HIGH] PocketMine-MP vulnerable to improperly checked dropped item count leading to server crash

[HIGH] PocketMine-MP vulnerable to server crash with certain invalid JSON payloads in `LoginPacket` due to vulnerable dependency

[MEDIUM] PocketMine MP vulnerable to uncontrolled resource consumption via mismatched type of 'InventoryTransactionPacket'

[MEDIUM] PocketMine-MP vulnerable to denial-of-service by sending large modal form responses

[HIGH] PocketMine-MP has improperly handled dye colour IDs in banner NBT, leading to server crash

[HIGH] PocketMine-MP invalid skin geometry JSON data leading to server crash

[HIGH] Improperly checked IDs on itemstacks received from the client leading to server crash in PocketMine-MP

[MEDIUM] Denial-of-service vulnerability processing large chat messages containing many newlines

[HIGH] Insufficient type validation in pocketmine/pocketmine-mp

[HIGH] Improperly checked metadata on tools/armour itemstacks received from the client

[HIGH] NaN/INF in serverbound movement packets can crash clients and servers

[MEDIUM] Impersonation of other users (passing XBOX Live authentication) by theft of logins in PocketMine-MP

[HIGH] Unhandled exception when decoding form response JSON

[HIGH] Unchecked validity of Facing values in PlayerActionPacket

[HIGH] Uncapped length of skin data fields submitted by players

[MEDIUM] Book page text, count, and author/title length is not limited in PocketMine-MP

[LOW] Inability to de-op players if listed in ops.txt with non-lowercase letters

[HIGH] Exploitable inventory component chaining in PocketMine-MP