Name of the Vulnerable Software and Affected Versions PocketMine-MP versions prior to 3.15.4

Description The issue arises from specially crafted InventoryTransactionPackets sent by malicious clients, exploiting the behavior of InventoryTransaction->findResultItem() and causing it to take an abnormally long time to execute, resulting in an apparent server freeze. This occurs due to the complexity of compacting conflicting InventoryActions within the same InventoryTransaction, which becomes exponential when multiple pathways to a result exist. The problem is being exploited in the wild to deny service to servers.

Recommendations For versions prior to 3.15.4, upgrade to 3.15.4 or a newer version to resolve the issue. As a temporary workaround, consider implementing checks in a plugin listening to DataPacketReceiveEvent to mitigate the risk of exploitation.