GHSA-xh99-hw7h-wf63: 
PHP vulnerability analysis and mitigation

A high-severity vulnerability (GHSA-xh99-hw7h-wf63) was discovered in PocketMine-MP affecting versions prior to 4.0.6. The vulnerability was published on January 13, 2022, and involves unchecked validity of Facing values in PlayerActionPacket. The issue affects the composer package pocketmine/pocketmine-mp (GitHub Advisory).

The vulnerability stems from insufficient validation of facing values in PlayerActionPacket, particularly with START_BREAK or CRACK_BLOCK actions, or with UseItemTransactionData in InventoryTransactionPacket. The vulnerability has a CVSS score of 7.5 (High), with the following metrics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None, Scope: Unchanged, Confidentiality: None, Integrity: None, Availability: High (GitHub Advisory).

When exploited, this vulnerability allows a remote attacker to crash a server by sending PlayerActionPacket with invalid facing values, such as negative numbers. The impact primarily affects the availability of the server, with no direct effect on confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in version 4.0.6 of PocketMine-MP. For those unable to update immediately, a workaround is available: using a plugin to cancel DataPacketReceiveEvent if the packet is PlayerActionPacket and the facing is outside the range 0-5 when receiving START_BREAK or CRACK_BLOCK actions, or UseItemTransactionData. However, it's important to note that negative values may be legitimate in some cases (GitHub Advisory, PocketMine Commit).