Insufficient Control of Network Message Volume in PocketMine-MP - #VU125429
Published: April 8, 2026
Vulnerability identifier: #VU125429
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-406
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: PMMP
Affected software:
PocketMine-MP
PocketMine-MP
Detailed vulnerability description
The vulnerability allows a remote user to cause network amplification and modify game state visible to other clients.
The vulnerability exists due to insufficient control of network message volume in ActorEventPacket handling when processing client-supplied ActorEventPacket messages. A remote user can send specially crafted ActorEventPacket messages to cause network amplification and modify game state visible to other clients.
For each packet sent by the user, an animation event is broadcast to every other player the user is visible to, and the issue can also waste server CPU and memory.
Remediation
Install security update from vendor's website.