Name of the Vulnerable Software and Affected Versions PocketMine-MP versions prior to 4.18.0-ALPHA2

Description The issue arises from the client sending a "mismatch" type InventoryTransactionPacket to request a resync of all currently open inventories. Since PocketMine-MP does not rate-limit these transactions and the syncing of inventories is not deferred, they can be used to multiply bandwidth cheaply by making the server send out many MB of data. This is particularly problematic when dealing with large amounts of NBT data. There are no known real-world exploits of this issue.

Recommendations For versions prior to 4.18.0-ALPHA2, as a temporary workaround, consider handling the DataPacketReceiveEvent for InventoryTransactionPacket and apply a rate limit (e.g., max 1 per tick) when the type is MismatchTransactionData. Update to version 4.18.0-ALPHA2 or later, which includes the fix for this issue alongside the introduction of the ItemStackRequest system implementation.