Name of the Vulnerable Software and Affected Versions PocketMine-MP versions prior to 4.23.1 PocketMine-MP versions prior to 5.3.1

Description An attacker could crash PocketMine-MP by sending malformed JSON in the LoginPacket. This issue occurred due to the handling of NULL types in the json mapper, which accepts NULL type values in typed arrays that PocketMine-MP did not expect, causing code processing arrays in the JSON data to crash due to unexpected NULL elements.

Recommendations For versions prior to 4.23.1, update to version 4.23.1 to resolve the issue. For versions prior to 5.3.1, update to version 5.3.1 to resolve the issue. As a temporary workaround, consider handling DataPacketReceiveEvent for LoginPacket and checking that none of the input arrays contain NULL where it's not expected.