Name of the Vulnerable Software and Affected Versions PocketMine-MP versions prior to the version containing the fix in https://github.com/pmmp/PocketMine-MP/commit/df33e179e5d3ff13b56a2d7060bf592b0f797258

Description The issue arises from how PocketMine-MP handles incoming chat message blobs. Due to legacy reasons, these messages are split by , and each part is treated as a separate message. However, the length of the whole message is not checked, leading to a performance issue. A malicious client can send a large chat packet containing numerous newline characters, causing the server to parse this into a large array and spend significant time iterating over it. Additionally, the lack of sufficient rate limit checks allows malicious clients to bombard the server with many malicious messages, causing lockups for a significant amount of time.

Recommendations For versions prior to the fix, consider handling DataPacketReceiveEvent and checking for excessive newlines in incoming TextPacket as a temporary workaround to mitigate the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability, other than the commit mentioned, which implies updating to a version that includes the fix in https://github.com/pmmp/PocketMine-MP/commit/df33e179e5d3ff13b56a2d7060bf592b0f797258.