GHSA-p62j-hrxm-xcxf: 
PHP vulnerability analysis and mitigation

A moderate severity vulnerability (GHSA-p62j-hrxm-xcxf) was identified in PocketMine-MP affecting versions <3.26.5 and >=4.0.0, <4.0.5. The vulnerability was published on January 4, 2022, and last updated on January 11, 2023. The issue involves unlimited book page text, count, and author/title length in the game server software, allowing players to create 'book bombs' that could potentially impact server performance (GitHub Advisory).

The vulnerability has a CVSS v3.1 score of 6.5 (Moderate) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The technical assessment indicates network attack vector, low attack complexity, low privileges required, no user interaction needed, unchanged scope, no impact on confidentiality and integrity, but high impact on availability. The vulnerability allows players to create books with unlimited characters per page and bypass the 50-page limit (GitHub Advisory).

The vulnerability leads to several critical issues: excessive bandwidth consumption for both server and client due to oversized NBT data, server crashes when saving region-based worlds due to exceeding the maximum chunk size of 1 MB (specific to PM3), and server crashes if any book page exceeds 32 KiB due to TAG_String size limit (specific to PM4). However, exploitation requires an attacker to first obtain a writable book (GitHub Advisory).

The vulnerability has been patched in versions 3.26.5 and 4.0.5. For unpatched systems, recommended workarounds include banning writable books entirely or implementing a plugin to cancel PlayerEditBookEvent when text length exceeds specific limits (strlen(text) > 1024 || mb_strlen(text) > 256) (GitHub Advisory).