PocketMine-MP, ActorEventPacket Consumption Abuse, No CVE (Medium)

Listen to this Post

How the mentioned vulnerability works (CVE not assigned, but issue exists):
The PocketMine-MP server incorrectly trusts `ActorEventPacket` sent by vanilla clients.
When a player eats food or drinks a potion, the client sends this packet with a consume animation event ID.
The server, instead of validating the action, blindly broadcasts an animation event to every other player visible to the attacker.
This creates an amplification effect: one malicious packet generates N outgoing packets (where N is the number of nearby players).
An attacker can send thousands of `ActorEventPacket` per second using a modified client or script.
Each packet forces the server to iterate through the list of visible players and send a new packet to each.
This consumes excessive CPU cycles for packet encoding and network I/O.
Memory usage spikes because outgoing packet buffers fill up rapidly.
The issue is similar to previously fixed vulnerabilities in `AnimatePacket` and `LevelSoundEventPacket` from PM4’s network overhaul.

However, `ActorEventPacket` was overlooked and remained vulnerable.

No authentication or rate-limiting exists for this packet type in affected versions.
The server treats every `ActorEventPacket` as a legitimate action, even if the player is not actually eating or drinking.
Attackers can trigger this from any distance as long as they are connected to the server.
The result is a distributed denial-of-service (DDoS) against the server and its clients.
Latency for all players increases, and the server may become unresponsive.
The vulnerability requires no special privileges; any authenticated player can exploit it.
It is a classic case of missing server-side authority over client-triggered animations.
The patch discards all client-sent ActorEventPacket, making consumption animations fully server-controlled.

dailycve form:

Platform: PocketMine-MP
Version: Pre aeea1150
Vulnerability: Packet amplification
Severity: Medium
Date: Not disclosed

Prediction: Already patched

What Undercode Say:

Simulate malicious ActorEventPacket using a PocketMine-MP plugin (for testing)
Install a plugin that sends raw packet via DataPacketSendEvent (attacker side)
Or use a Python script with RakNet protocol (conceptual)
Rate-limit fix using DataPacketDecodeEvent (plugin code snippet)
$plugin->getServer()->getPluginManager()->registerEvent(DataPacketDecodeEvent::class, function(DataPacketDecodeEvent $event) {
if ($event->getPacket() instanceof ActorEventPacket) {
$player = $event->getPlayer();
$rateLimitKey = "actor_event_" . $player->getName();
$lastTime = $player->getNamedTag()->getLong($rateLimitKey, 0);
if (microtime(true) - $lastTime < 0.5) {
$event->cancel(); // Drop excessive packets
}
$player->getNamedTag()->setLong($rateLimitKey, microtime(true));
}
});
Check for vulnerable version
$ git clone https://github.com/pmmp/PocketMine-MP
$ cd PocketMine-MP
$ git log --oneline | grep aeea1150
aeea1150 Fix ActorEventPacket consumption animation abuse

Exploit:

Send repeated `ActorEventPacket` (ID 0x2C) with event ID 1 (consume) using a custom client or proxy. Forge up to 1000 packets per second. Observe server CPU >90% and mass disconnections.

Protection from this CVE

Update to commit `aeea1150` or newer. If patching impossible, install a plugin that uses `DataPacketDecodeEvent` to rate-limit `ActorEventPacket` to ≤2 per second per player. Alternatively, firewall UDP traffic from suspicious IPs.

Impact:

Remote authenticated attacker causes server-wide lag, memory exhaustion, and network flooding. Every malicious packet amplifies to all visible players, enabling a low-bandwidth DoS that crashes small servers within seconds.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top