GHSA-g274-c6jj-h78p: 
PHP vulnerability analysis and mitigation

GHSA-g274-c6jj-h78p affects PocketMine-MP versions prior to 5.25.2, discovered and disclosed in March 2025. The vulnerability allows malicious clients to waste server CPU and memory resources through the exploitation of unconstrained explode() function calls in various components including sign editing, LoginPacket JWT parsing, and command parsing (GitHub Advisory).

The vulnerability stems from the lack of limits in the PHP explode() function implementation across multiple components. The issue has a CVSS score of 5.3 (Moderate) with base metrics indicating network attack vector, low attack complexity, no privileges required, and no user interaction needed. The vulnerability impacts server availability while maintaining unchanged scope and no impact on confidentiality or integrity (GitHub Advisory).

When exploited, this vulnerability can lead to server resource exhaustion through CPU and memory consumption. While the potential impact is considered low due to existing packet decompression limits, it affects multiple system components including sign editing, login packet processing, JWT parsing, and command parsing systems (GitHub Advisory).

The vulnerability was patched in version 5.25.2 through commit d0d84d4, which introduced mandatory limit parameters for all explode() function calls. A custom PHPStan rule was implemented to enforce this requirement across the codebase. For unpatched systems, a workaround involves implementing plugins to pre-process BlockActorDataPacket and verify that incoming text doesn't exceed 4 parts when split by newlines (GitHub Advisory).