7.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-92jh-gwch-jq38

EPSS Score

CWE

Published

9/14/2023

Updated

5/23/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-92jh-gwch-jq38

GHSA-92jh-gwch-jq38: PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (again)

Impact

An attacker could crash PocketMine-MP by sending malformed JSON in LoginPacket.

This happened due to the particular handling of NULL types in the json mapper which accepts NULL type values in typed arrays which PocketMine-MP did not expect.

Code processing arrays in the JSON data could then crash due to unexpected NULL elements.

Patches

This problem was fixed in 5.3.1 and 4.23.1 by updating JsonMapper to include the following commit: pmmp/netresearch-jsonmapper@4f90e8dab1c9df331fad7d3d89823404e882668c

An upstream patch for this issue was proposed via https://github.com/cweiske/jsonmapper/pull/211; however, as of 2024-05-15, the patch has not been accepted upstream due to debate about how to deal with the behavior. For now, a fork of JsonMapper is used by PocketMine-MP to workaround the issue.

Workarounds

A plugin may handle DataPacketReceiveEvent for LoginPacket and check that none of the input arrays contain NULL where it's not expected, but this is rather cumbersome.

References

Proposed upstream patch for a behavior change: https://github.com/cweiske/jsonmapper/pull/211

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-92jh-gwch-jq38

EPSS Score

CWE

Published

9/14/2023

Updated

5/23/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pocketmine/pocketmine-mp	composer	>= 5.0.0, <= 5.3.0	5.3.1
pocketmine/pocketmine-mp	composer	<= 4.23.0	4.23.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from JsonMapper's array handling logic. The commit diff shows critical changes in mapArray() where null acceptance in typed arrays was removed. Previously, when encountering a null value in JSON arrays (e.g., in LoginPacket data), JsonMapper would insert null into PHP arrays even when the target type declaration didn't allow null. This caused type inconsistencies that crashed PocketMine-MP when processing these arrays. The mapArray function is directly responsible for this type mapping behavior, and its pre-patch implementation matches the vulnerability description of accepting unexpected nulls in typed arrays.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *n *tt**k*r *oul* *r*s* Po*k*tMin*-MP *y s*n*in* m*l*orm** JSON in `Lo*inP**k*t`. T*is **pp*n** *u* to t** p*rti*ul*r **n*lin* o* NULL typ*s in t** json m*pp*r w*i** ****pts NULL typ* v*lu*s in typ** *rr*ys w*i** Po*k*tMin*-MP *i* not *xp

Reasoning

T** vuln*r**ility st*ms *rom JsonM*pp*r's *rr*y **n*lin* lo*i*. T** *ommit *i** s*ows *riti**l ***n**s in `m*p*rr*y()` w**r* null ****pt*n** in typ** *rr*ys w*s r*mov**. Pr*viously, w**n *n*ount*rin* * null v*lu* in JSON *rr*ys (*.*., in `Lo*inP**k*t

7.5

Basic Information

Concerned about an active attack path?

GHSA-92jh-gwch-jq38: PocketMine-MP server crash with certain invalid JSON payloads in `LoginPacket` due to dependency vulnerability (again)

Impact

Patches

Workarounds

References

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI