GHSA-wjfq-88q2-r34j: 
PHP vulnerability analysis and mitigation

A high severity vulnerability (CVSS 7.5) was discovered in PocketMine-MP versions 4.0.0 through 4.0.6, identified as GHSA-wjfq-88q2-r34j. The vulnerability was published on January 21, 2022, and affects the composer package pocketmine/pocketmine-mp. The issue was patched in version 4.0.7 (GitHub Advisory).

The vulnerability occurs when handling form responses from the Minecraft Windows client (ModalFormResponsePacket). The client may send malformed JSON that jsondecode() cannot process. While a workaround is implemented in InGamePacketHandler::stupidjson_decode(), the function throws an InvalidArgumentException when it fails to fix errors in the JSON, which is not caught by the caller. The vulnerability has a CVSS v3.1 score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

When exploited, this vulnerability leads to a server crash due to the uncaught exception, affecting the availability of the service. The CVSS metrics indicate high impact on availability while confidentiality and integrity remain unaffected (GitHub Advisory).

The vulnerability was patched in version 4.0.7 with commit 56fe71d. As a workaround for affected versions, plugins can handle DataPacketReceiveEvent, capture ModalFormResponsePacket and process the JSON through stupidjsondecode, though this requires copying the function's body to a plugin as it's currently private (GitHub Advisory, PocketMine Commit).