GHSA-fqqv-56h5-f57g: 
PHP vulnerability analysis and mitigation

A high-severity denial-of-service vulnerability (GHSA-fqqv-56h5-f57g) was discovered in PocketMine-MP affecting versions prior to 5.32.1. The vulnerability exists in the STATUSSENDPACKS handling of ResourcePackClientResponsePacket where the server processes the packIds array without verifying unique entries. This vulnerability was discovered on August 30, 2025, and affects the composer package pocketmine/pocketmine-mp (GitHub Advisory).

The vulnerability stems from the server's failure to validate resource pack sequence status and uniqueness of pack IDs. When processing ResourcePackClientResponsePacket, the server accepts the packIds array directly from the client without ensuring entries are unique. The vulnerability has a CVSS v4 score of 8.7 (High), with attack vector: Network, attack complexity: Low, privileges required: None, and user interaction: None. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) (GitHub Advisory).

When exploited, this vulnerability allows an authenticated attacker to cause denial of service through memory exhaustion. A malicious client can send multiple duplicate valid pack UUIDs in the same STATUSSENDPACKS packet, causing the server to repeatedly send the same pack, quickly consuming server memory until it crashes. This affects any PocketMine-MP server with resource packs enabled (GitHub Advisory).

The vulnerability has been patched in version 5.32.1. The fix includes removing duplicates from the incoming packIds array, implementing a threshold for duplicate detection, and tracking previously sent packs to prevent resending. Server administrators are strongly recommended to update to version 5.32.1 or later (PocketMine Release).