Name of the Vulnerable Software and Affected Versions PocketMine-MP (affected versions not specified)

Description The issue arises from uncapped skin data fields, such as skinID and geometryName, which are saved in the NBT data of a player. These fields have a 32767 byte limit due to the TAG String limit. If any of these fields exceed this limit, an exception is thrown during data saving, causing the server to crash. Other fields like skinGeometryData have a larger limit and are not a concern due to the decompressed packet size limit.

Recommendations For affected versions, consider using a plugin to check player skins during the PlayerLoginEvent and PlayerSkinChangeEvent to ensure that the offending fields are not larger than 32767 bytes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.