Allocation of Resources Without Limits or Throttling in pocketmine/pocketmine-mp

Q: How to fix?

Upgrade pocketmine/pocketmine-mp to version 5.32.1 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Allocation of Resources Without Limits or Throttling vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-PHP-POCKETMINEPOCKETMINEMP-12549197
published7 Sept 2025
disclosed2 Sept 2025
creditZwuiix-cmd

Report a new vulnerability Found a mistake?

Introduced: 2 Sep 2025

NewCWE-770 (opens in a new tab)

How to fix?

Upgrade pocketmine/pocketmine-mp to version 5.32.1 or higher.

Overview

pocketmine/pocketmine-mp is a highly customisable, open source server software for Minecraft: Bedrock Edition written in PHP

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the STATUS_SEND_PACKS handling of ResourcePackClientResponsePacket, which handles the packIds array without verifying that all entries are unique. An attacker can cause excessive memory consumption and crash the server by sending a large number of duplicate valid pack UUIDs in a single packet.

Note: This is exploitable if the attacker is an authenticated player and the server has resource packs enabled.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Allocation of Resources Without Limits or Throttling Affecting pocketmine/pocketmine-mp package, versions <5.32.1

Severity