GHSA-h6j3-j35f-v2x7: 
PHP vulnerability analysis and mitigation

A high severity vulnerability (GHSA-h6j3-j35f-v2x7) was discovered in PocketMine-MP affecting versions < 5.11.1. The vulnerability allows attackers to crash PocketMine-MP servers by sending malformed JSON data in LoginPacket. The issue stems from netresearch/jsonmapper's handling of object hydration from scalar types in JSON, where improperly initialized objects could be created when constructors don't properly handle input values (GitHub Advisory).

The vulnerability occurs when JsonMapper attempts to hydrate objects from scalar types in JSON without proper validation. The core issue lies in JsonMapper's behavior where it doesn't validate constructor arguments properly and doesn't respect bStrictObjectTypeChecking when processing arrays. This can result in objects with @required properties being left uninitialized instead of throwing an error. The vulnerability has been assigned a CVSS score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

When exploited, this vulnerability can cause PocketMine-MP servers to crash through the processing of improperly initialized objects. The impact primarily affects service availability, with no direct impact on confidentiality or integrity. The attack can be executed remotely without requiring any privileges or user interaction (GitHub Advisory).

The vulnerability has been patched in PocketMine-MP version 5.11.1. The fix was implemented through two key changes: pmmp/netresearch-jsonmapper@b96a209 and commit 6872661. Due to the complexity of detecting malicious data that triggers this issue, creating plugin-based workarounds is not practical. Users are strongly advised to upgrade to the patched version (GitHub Advisory).

Due to the recurring nature of security issues arising from unexpected behavior in JsonMapper, the PocketMine-MP team has indicated they are exploring options to replace the JsonMapper library entirely (GitHub Advisory).