Name of the Vulnerable Software and Affected Versions PocketMine-MP versions prior to 3.26.5 PocketMine-MP versions prior to 4.0.5

Description The issue allows players to fill book pages with an excessive number of characters, as the server does not enforce the character limit. Additionally, the maximum of 50 pages is not enforced, enabling players to create "book bombs". This causes several problems, including oversized NBT data, which results in excess bandwidth usage for both the server and client, server crashes when saving region-based worlds due to exceeding the maximum chunk size, and server crashes if any book page exceeds 32 KiB due to the TAG String size limit. An attacker must first obtain a writable book to exploit this issue.

Recommendations For versions prior to 3.26.5, update to version 3.26.5 or later. For versions prior to 4.0.5, update to version 4.0.5 or later. As a temporary workaround, consider banning writable books or using a plugin to cancel the PlayerEditBookEvent if strlen(text) > 1024 || mb strlen(text) > 256.