Listen to this Post
Attackers exploit the JsonMapper instance within LoginPacket’s clientData JWT body, which is configured to warn on unexpected properties rather than rejecting them outright. The vulnerable code in `LoginPacketHandler.php` processes the JWT without limiting unknown properties, enabling a remote adversary to fill the body with numerous junk key-value pairs. Each unexpected property triggers a warning log message, causing the server to flood its console with warnings and waste CPU cycles. The warning handler (warnUndefinedJsonPropertyHandler) previously logged every single unknown property without restriction, allowing unbounded log generation. This resource exhaustion degrades server performance and can lead to a denial-of-service condition. The attack requires no authentication, as the LoginPacket is sent during the initial handshake before player verification. Servers exposed to the public internet are particularly vulnerable, as any unknown actor can send crafted packets. The fix introduced a counter that limits unknown properties to 10, after which the packet is rejected entirely, preventing log spam while tolerating minor JWT changes across versions.
Platform: PocketMine-MP
Version: prior 5.42.1
Vulnerability : Log DoS
Severity: MODERATE
date: 2026-04-15
Prediction: 2026-04-04
What Undercode Say:
Monitor server logs for excessive "Unexpected JSON property" warnings
tail -f /path/to/pocketmine/logs/server.log | grep "Unexpected JSON property"
Check CPU load spikes caused by log flooding
top -b -n 1 | grep -E "Cpu|pocketmine"
Count warning occurrences per minute to detect attack
grep "Unexpected JSON property" /path/to/pocketmine/logs/server.log | wc -l
Mitigation: apply workaround plugin code (save as NoJunkPropertiesPlugin.php)
cat > NoJunkPropertiesPlugin.php << 'EOF'
<?php
use pocketmine\event\server\DataPacketReceiveEvent;
use pocketmine\network\mcpe\protocol\LoginPacket;
use pocketmine\plugin\PluginBase;
class NoJunkPropertiesPlugin extends PluginBase {
public function onEnable() : void {
$this->getServer()->getPluginManager()->registerEvents(
new class($this) implements \pocketmine\event\Listener {
public function onDataPacketReceive(DataPacketReceiveEvent $event) : void {
$pk = $event->getPacket();
if ($pk instanceof LoginPacket) {
$mapper = new \JsonMapper();
$mapper->bExceptionOnUndefinedProperty = true;
try {
$mapper->map(json_decode($pk->clientDataJWT), new \stdClass());
} catch (\JsonMapper_Exception $e) {
$event->cancel();
$this->owner->getLogger()->warning("Blocked LoginPacket with unexpected JWT properties");
}
}
}
}, $this
);
}
}
EOF
Exploit:
Custom malicious client payload (conceptual)
import json
junk_payload = {"clientData": {f"junk_{i}": "value" for i in range(1000)}}
jwt_body = json.dumps(junk_payload) Sent in LoginPacket
Result: server logs 1000+ warnings, high CPU, eventual DoS
Protection from this CVE
- Upgrade to PocketMine-MP >=5.42.1 which enforces a 10-property limit before packet rejection.
- Use the plugin workaround with `bExceptionOnUndefinedProperty = true` to reject packets with any unexpected properties.
- Deploy network-level rate limiting to block excessive LoginPackets from suspicious IPs.
- Monitor logs for rapid “Unexpected JSON property” warnings to detect ongoing attacks.
Impact
- Attackers fill JWT with junk properties → server logs hundreds/thousands of warnings.
- CPU time wasted on processing and logging, degrading server performance.
- Unauthenticated remote DoS; affects all public-facing PocketMine-MP servers prior to 5.42.1.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
