Name of the Vulnerable Software and Affected Versions PocketMine-MP versions prior to 4.20.5 PocketMine-MP versions prior to 4.21.1

Description An attacker could crash PocketMine-MP by sending malformed JSON in the LoginPacket. This issue occurred due to a bug in the netresearch/jsonmapper library, which failed to perform proper checks when mapping JSON arrays and objects onto scalar model properties such as strings.

Recommendations For PocketMine-MP versions prior to 4.20.5, update to version 4.20.5 or later to resolve the issue. For PocketMine-MP versions prior to 4.21.1, update to version 4.21.1 or later to resolve the issue. As a temporary workaround, users of PocketMine-MP source installations may manually install the patched version of JsonMapper by backporting commit pmmp/PocketMine-MP@09668a37d66c6023685a948b7550c918620e98f2. A plugin may also be able to workaround this issue by using DataPacketReceiveEvent to attempt detection of suspicious payloads and catching the ErrorException that is thrown in the crash case.