Allocation of Resources Without Limits or Throttling Affecting pocketmine/pocketmine-mp package, versions <5.25.2

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Allocation of Resources Without Limits or Throttling vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-PHP-POCKETMINEPOCKETMINEMP-9460807
published18 Mar 2025
disclosed10 Mar 2025
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 10 Mar 2025

NewCWE-770 (opens in a new tab)

How to fix?

Upgrade pocketmine/pocketmine-mp to version 5.25.2 or higher.

Overview

pocketmine/pocketmine-mp is a highly customisable, open source server software for Minecraft: Bedrock Edition written in PHP

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the explode() function. An attacker can occupy excessive CPU or memory by sending malicious data to JWT parsing, sign editing, and other command parsing functions.

Workaround

The sign editing vector can be mitigated by pre-processing incoming data to filter out BlockActorDataPacket containing more than 4 newline-delimited parts.

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
Low

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None