Name of the Vulnerable Software and Affected Versions PocketMine-MP versions prior to 3.18.1

Description A malicious client can send a MovePlayerPacket to the server with position or rotation containing NaN or INF, causing various side effects. The server may crash due to PHP warnings converted into exceptions from mathematical operations on NaN/INF. Clients may not be able to see other clients with NaN/INF rotation and may also crash in such cases.

Recommendations For versions prior to 3.18.1, update to version 3.18.1 to resolve the issue. As a temporary workaround, consider implementing a plugin using DataPacketReceiveEvent to block any inbound movement packets containing bogus values.