Vulnerability DatabaseGHSA-h6rj-3m53-887h

GHSA-h6rj-3m53-887h:
PHP vulnerability analysis and mitigation

Impact

Attackers can put large and/or complex structures as a value to an unknown property in the clientData JWT body in the Minecraft LoginPacket, causing the server to generate very long log messages. Additionally, the property name is logged without any length limitations or sanitization, which can also be abused for LogDoS. This may be used to spam the log/console, waste CPU time serializing the offending structure, and potentially to crash the server entirely. This happens because the JsonMapper instance used to process the JWT body is configured to warn on unexpected properties instead of rejecting them outright. While this behaviour increases flexibility for random changes introduced by Microsoft, it also creates vulnerabilities if not handled carefully. This vulnerability affects PocketMine-MP servers exposed to a public network where unknown actors may have access.

PoC

Connect to the server using a custom client.
Send a Minecraft LoginPacket containing an unexpected JSON property (e.g., invalid_key) within the ClientData.
Set the value of invalid_key to a highly recursive or massive object structure (e.g., an array containing millions of elements or deeply nested arrays).
The server hits the warnUndefinedJsonPropertyHandler, which attempts to var_export the malicious object, leading to an Out-of-Memory crash.

A := make([]interface{}, 1)
	ptr := &A
	for i := 0; i < 500; i++ {
		next := make([]interface{}, 1000)
		(*ptr)[0] = next
		ptr = &next
	}
	data := make([]int, 2000000)
	for i := 0; i < 100; i++ {
		data[i] = i
	}
	(*ptr)[0] = data
	d.PlayFabID = A

Patches

The issue was addressed in https://github.com/pmmp/PocketMine-MP/commit/87d1c0cea09d972fd4c2fafb84dac2ecab7649f0 by removing the relevant var_export and limiting the length of the logged property name to 80 characters.

Workarounds

Plugins can handle DataPacketReceiveEvent to capture LoginPacket, and pre-process the clientData JWT to ensure it doesn't have any unusual properties in it. This can be achieved using JsonMapper (see the original affected code below) and setting the bExceptionOnUndefinedProperty flag to true. A JsonMapper_Exception will be thrown if the JWT is problematic. However, it's important to caveat that this approach may cause login failures if any unexpected properties appear out of the blue in future versions (which has happened in the past).

Source: NVD

Related PHP vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
GHSA-h6rj-3m53-887h	HIGH	7.5	PHP	pocketmine/pocketmine-mp	No	Yes	Apr 06, 2026
GHSA-788v-5pfp-93ff	HIGH	7.1	PHP	pocketmine/pocketmine-mp	No	Yes	Apr 06, 2026
CVE-2026-35452	MEDIUM	5.3	PHP	wwbn/avideo	No	No	Apr 06, 2026
GHSA-7hmv-4j2j-pp6f	MEDIUM	4.3	PHP	pocketmine/pocketmine-mp	No	Yes	Apr 06, 2026
GHSA-f9jp-856v-8642	LOW	3.7	PHP	pocketmine/pocketmine-mp	No	Yes	Apr 06, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

GHSA-h6rj-3m53-887h: PHP vulnerability analysis and mitigation