GHSA-8cwq-4cmf-px73: 
PHP vulnerability analysis and mitigation

A high-severity vulnerability was identified in PocketMine-MP affecting versions prior to 4.7.2. The vulnerability (GHSA-8cwq-4cmf-px73) was discovered and published on August 16, 2022, with the last update on January 7, 2023. The issue affects the pocketmine/pocketmine-mp Composer package and involves incorrect handling of errors produced by adhocore/json-comment in the skin geometry JSON data processing (GitHub Advisory).

The vulnerability stems from the pocketmine\entity\Skin component's improper error handling when processing JSON data. Specifically, the system expects the adhocore/json-comment decoder to return false on error, but it instead throws a RuntimeException. This mismatch in error handling behavior can lead to server crashes when invalid skin geometry data is encountered. The vulnerability has been assigned a CVSS score of 7.5 (High), with base metrics indicating Network attack vector, Low attack complexity, No privileges required, No user interaction needed, Unchanged scope, and High availability impact (GitHub Advisory).

When exploited, this vulnerability results in server crashes if the skin geometry data contains invalid content or syntax errors. The impact is primarily focused on service availability, with no direct effect on confidentiality or integrity of the system (GitHub Advisory).

The vulnerability has been patched in version 4.7.2 of PocketMine-MP. For users unable to update immediately, a workaround exists where a plugin can handle LoginPacket and PlayerSkinPacket to verify the skin geometry data can be parsed correctly, preventing the error condition in the core code from being reached. The permanent fix involves properly catching and handling the RuntimeException thrown by the JSON decoder (GitHub Advisory, GitHub Commit).