5.3

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-42qm-8v8m-m78c

EPSS Score

CWE

CWE-400

Published

6/1/2023

Updated

6/1/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-42qm-8v8m-m78c

GHSA-42qm-8v8m-m78c: PocketMine MP vulnerable to uncontrolled resource consumption via mismatched type of 'InventoryTransactionPacket'

Impact

A "mismatch" type InventoryTransactionPacket is sent by the client to request a resync of all currently open inventories.

Since PocketMine-MP does not rate-limit these "mismatch" transactions, and the syncing of inventories is not deferred until, e.g. the end of the current tick, they can be used as a very cheap bandwidth multiplier by making the server send out many MB of data (network serialized inventory items can be very large, especially when dealing with large amounts of NBT).

This is not currently known to have been exploited in the wild.

Patches

This problem was fixed in 4.18.0-ALPHA2 by ca6d51498f12427a947467da8fcad7811418e6cc alongside the introduction of the ItemStackRequest system implementation.

Workarounds

Plugins can handle DataPacketReceiveEvent for InventoryTransactionPacket and check if the type is MismatchTransactionData. If it is, apply some kind of rate limit (e.g. max 1 per tick).

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-42qm-8v8m-m78c

EPSS Score

CWE

CWE-400

Published

6/1/2023

Updated

6/1/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pocketmine/pocketmine-mp	composer	< 4.18.0-ALPHA2	4.18.0-ALPHA2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from immediate processing of 'MismatchTransactionData' inventory transactions without rate limiting. The advisory specifies the root cause was lack of deferral until tick end and missing rate limits. The fix introduced deferred syncing (tick-end buffering) and the workaround suggests plugin-level rate limiting. This implies the vulnerable code path directly handled mismatch transactions in the packet handler without these protections. While exact code isn't shown, the PacketHandler architecture pattern in PocketMine-MP and the described vulnerability mechanism strongly indicate the MismatchTransactionData handler function as the vulnerable point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * "mism*t**" typ* `Inv*ntoryTr*ns**tionP**k*t` is s*nt *y t** *li*nt to r*qu*st * r*syn* o* *ll *urr*ntly op*n inv*ntori*s. Sin** Po*k*tMin*-MP *o*s not r*t*-limit t**s* "mism*t**" tr*ns**tions, *n* t** syn*in* o* inv*ntori*s is not ****r

Reasoning

T** vuln*r**ility st*ms *rom imm**i*t* pro**ssin* o* 'Mism*t**Tr*ns**tion**t*' inv*ntory tr*ns**tions wit*out r*t* limitin*. T** **visory sp**i*i*s t** root **us* w*s l**k o* ****rr*l until ti*k *n* *n* missin* r*t* limits. T** *ix intro*u*** ****rr*

5.3

Basic Information

Concerned about an active attack path?

GHSA-42qm-8v8m-m78c: PocketMine MP vulnerable to uncontrolled resource consumption via mismatched type of 'InventoryTransactionPacket'

Impact

Patches

Workarounds

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI