Name of the Vulnerable Software and Affected Versions PocketMine-MP (affected versions not specified)

Description A remote attacker may crash a server by sending a PlayerActionPacket with invalid facing values, such as negative values, specifically with START BREAK or CRACK BLOCK actions, or with a UseItemTransactionData typically in InventoryTransactionPacket.

Recommendations For all affected versions, consider using a plugin to cancel the DataPacketReceiveEvent if the packet is a PlayerActionPacket and the facing is outside the range 0-5 when receiving START BREAK or CRACK BLOCK actions, or UseItemTransactionData. However, beware that negative values may be legitimate in some cases. At the moment, there is no information about a newer version that contains a fix for this vulnerability.