GHSA-42qm-8v8m-m78c: 
PHP vulnerability analysis and mitigation

A moderate severity vulnerability (GHSA-42qm-8v8m-m78c) was discovered in PocketMine MP affecting versions prior to 4.18.0-ALPHA2. The vulnerability was published on May 30, 2023, and involves uncontrolled resource consumption via mismatched type of 'InventoryTransactionPacket'. The issue affects the composer package pocketmine/pocketmine-mp and received a CVSS score of 5.3 (GitHub Advisory).

The vulnerability stems from a 'mismatch' type InventoryTransactionPacket that clients send to request a resync of all currently open inventories. The core issue is that PocketMine-MP does not implement rate-limiting for these 'mismatch' transactions, and the inventory syncing process is not deferred until the end of the current tick. The vulnerability is classified with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating network vector attack with low complexity and no required privileges or user interaction (GitHub Advisory).

When exploited, this vulnerability can be used as a bandwidth multiplier, causing the server to transmit many megabytes of data. This is particularly impactful when dealing with network serialized inventory items containing large amounts of NBT data. The vulnerability primarily affects server availability, though no confidentiality or integrity impacts have been reported (GitHub Advisory).

The vulnerability was patched in version 4.18.0-ALPHA2 alongside the introduction of the ItemStackRequest system implementation. For users unable to update immediately, a workaround exists where plugins can handle DataPacketReceiveEvent for InventoryTransactionPacket and check if the type is MismatchTransactionData, implementing a rate limit (e.g., maximum 1 per tick) (GitHub Advisory, PocketMine Changelog).