Due to lack of limits by default in the explode() function, malicious clients were able to abuse some packets to waste server CPU and memory.

This is similar to a previous security issue published in https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-gj94-v4p9-w672, but with a wider impact, including but not limited to:

However, the estimated impact of these issues is low, due to other limits such as the packet decompression limit.

The issue was fixed in 5.25.2 via d0d84d4c5195fb0a68ea7725424fda63b85cd831.

A custom PHPStan rule has also been introduced to the project, which will henceforth require that all calls to explode() within the codebase must specify the limit parameter.

No simple way to fix this. Given that sign editing is the easiest way this could be exploited, workarounds could include plugins pre-processing BlockActorDataPacket to check that the incoming text doesn't have more than 4 parts when split by .