{
  "schema_version": "1.4.0",
  "id": "GHSA-g274-c6jj-h78p",
  "modified": "2025-03-10T20:29:26Z",
  "published": "2025-03-10T20:29:26Z",
  "aliases": [],
  "summary": "PocketMine-MP allows malicious client data to waste server resources due to lack of limits for explode()",
  "details": "### Impact\nDue to lack of limits by default in the [`explode()`](https://www.php.net/manual/en/function.explode.php) function, malicious clients were able to abuse some packets to waste server CPU and memory.\n\nThis is similar to a previous security issue published in https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-gj94-v4p9-w672, but with a wider impact, including but not limited to:\n\n- Sign editing\n- LoginPacket JWT parsing\n- Command parsing\n\nHowever, the estimated impact of these issues is low, due to other limits such as the packet decompression limit.\n\n### Patches\nThe issue was fixed in 5.25.2 via d0d84d4c5195fb0a68ea7725424fda63b85cd831.\n\nA custom PHPStan rule has also been introduced to the project, which will henceforth require that all calls to `explode()` within the codebase must specify the `limit` parameter.\n\n### Workarounds\nNo simple way to fix this.\nGiven that sign editing is the easiest way this could be exploited, workarounds could include plugins pre-processing `BlockActorDataPacket` to check that the incoming text doesn't have more than 4 parts when split by `\\n`.",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pocketmine/pocketmine-mp"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.25.2"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-g274-c6jj-h78p"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-gj94-v4p9-w672"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pmmp/PocketMine-MP/commit/d0d84d4c5195fb0a68ea7725424fda63b85cd831"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pmmp/PocketMine-MP"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-10T20:29:26Z",
    "nvd_published_at": null
  }
}