GHSA-7m9r-rq9j-wmmh: 
PHP vulnerability analysis and mitigation

A moderate severity vulnerability was identified in PocketMine-MP (GHSA-7m9r-rq9j-wmmh), affecting versions prior to 4.12.5. The vulnerability was discovered and published on January 9, 2023, and updated on January 13, 2023. This security issue affects the composer package pocketmine/pocketmine-mp and was discovered by AkmalFairuz (GitHub Advisory).

The vulnerability stems from a workaround implemented for an old client bug involving JSON payloads in ModalFormResponsePacket. The issue has a CVSS v3.1 base score of 5.3 (Moderate) with the following metrics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None, Scope: Unchanged, Confidentiality: None, Integrity: None, and Availability: Low. The vulnerability is classified under CWE-407 (GitHub Advisory).

When exploited, the vulnerability allows attackers to cause the server to spend significant CPU time processing large JSON payloads in ModalFormResponsePacket. Multiple packets of this nature can prevent the server from processing other connections in a timely manner, effectively creating a denial-of-service condition (GitHub Advisory).

The vulnerability has been patched in version 4.12.5 by removing the workaround code (commit 3baa5ab). As a temporary workaround, plugins can cancel DataPacketReceiveEvent for this packet, decode the data their way, and then call Player->onFormSubmit() directly to bypass the vulnerable code (GitHub Advisory).