GHSA-XP4F-G2CM-RHG7

GHSA-XP4F-G2CM-RHG7 is a medium-severity security vulnerability in pocketmine/pocketmine-mp (composer), affecting versions < 5.42.1. It is fixed in 5.42.1.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

PocketMine-MP has LogDoS by many junk properties in client data JWT in LoginPacket

Workarounds

Plugins can handle DataPacketReceiveEvent to capture LoginPacket, and pre-process the clientData JWT to ensure it doesn't have any unusual properties in it. This can be achieved using JsonMapper (see the original affected code below) and setting the bExceptionOnUndefinedProperty flag to true. A JsonMapper_Exception will be thrown if the JWT is problematic.

However, it's important to caveat that this approach may cause login failures if any unexpected properties appear out of the blue in future versions (which has happened in the past).

References

Affected code:

https://github.com/pmmp/PocketMine-MP/blob/5.41.1/src/network/mcpe/handler/LoginPacketHandler.php#L289-L303
https://github.com/pmmp/PocketMine-MP/blob/5.41.1/src/network/mcpe/handler/LoginPacketHandler.php#L334-L350

Impact

Attackers can fill the body of the clientData JWT in LoginPacket with lots of junk properties, causing the server to flood warning messages, as well as wasting CPU time.

This happens because the JsonMapper instance used to process the JWT body is configured to warn on unexpected properties instead of rejecting them outright. While this behaviour increases flexibility for random changes introduced by Microsoft, it also creates vulnerabilities if not handled carefully.

This vulnerability affects PocketMine-MP servers exposed to a public network where unknown actors may have access.

Affected versions

pocketmine/pocketmine-mp (< 5.42.1)

Security releases

pocketmine/pocketmine-mp → 5.42.1 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

This issue was fixed in c1d4a813fb8c21bfd8b9affd040da864b794df71 by restricting the number of unknown properties to 10, and rejecting the packet if this limit is exceeded. This continues to tolerate random additions to the JWT between versions, while preventing the logger from being abused by clients to slow down the server.

Frequently Asked Questions

  1. What is GHSA-XP4F-G2CM-RHG7? GHSA-XP4F-G2CM-RHG7 is a medium-severity security vulnerability in pocketmine/pocketmine-mp (composer), affecting versions < 5.42.1. It is fixed in 5.42.1.
  2. Which versions of pocketmine/pocketmine-mp are affected by GHSA-XP4F-G2CM-RHG7? pocketmine/pocketmine-mp (composer) versions < 5.42.1 is affected.
  3. Is there a fix for GHSA-XP4F-G2CM-RHG7? Yes. GHSA-XP4F-G2CM-RHG7 is fixed in 5.42.1. Upgrade to this version or later.
  4. Is GHSA-XP4F-G2CM-RHG7 exploitable, and should I be worried? Whether GHSA-XP4F-G2CM-RHG7 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether GHSA-XP4F-G2CM-RHG7 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix GHSA-XP4F-G2CM-RHG7? Upgrade pocketmine/pocketmine-mp to 5.42.1 or later.

Other vulnerabilities in pocketmine/pocketmine-mp

Stop the waste.
Protect your environment with Kodem.