Improper input validation in PocketMine-MP - #VU125421
Published: May 19, 2021 / Updated: April 8, 2026
Vulnerability identifier: #VU125421
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
PocketMine-MP
PocketMine-MP
Software vendor:
PMMP
PMMP
Description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in MovePlayerPacket handling when processing serverbound movement packets containing NaN or INF values in position or rotation fields. A remote attacker can send a specially crafted MovePlayerPacket to cause a denial of service.
Malformed rotation values may also prevent clients from seeing other clients correctly, and clients may crash when such values are processed.
Remediation
Install security update from vendor's website.