SB20260408168 - Multiple vulnerabilities in PocketMine-MP
Published: April 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Insufficient Control of Network Message Volume (CVE-ID: N/A)
The vulnerability allows a remote user to cause network amplification and modify game state visible to other clients.
The vulnerability exists due to insufficient control of network message volume in ActorEventPacket handling when processing client-supplied ActorEventPacket messages. A remote user can send specially crafted ActorEventPacket messages to cause network amplification and modify game state visible to other clients.
For each packet sent by the user, an animation event is broadcast to every other player the user is visible to, and the issue can also waste server CPU and memory.
2) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: N/A)
The vulnerability allows a remote attacker to duplicate items and XP drops.
The vulnerability exists due to improper state validation in the entity attack handler when processing attack packets for entities marked for despawn. A remote attacker can send a timed attack against a player entity during disconnect handling to duplicate items and XP drops.
Exploitation requires precise timing during the short interval after the target player has initiated disconnect and before the entity is removed from the world's entity table.
3) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper input validation in ModalFormResponsePacket handling when processing oversized JSON form responses. A remote user can send a specially crafted packet containing a massive JSON array or object to cause a denial of service.
Exploitation requires the player to have a full in-game session before form responses are handled.
Remediation
Install update from vendor's website.