Name of the Vulnerable Software and Affected Versions PocketMine-MP (affected versions not specified) netresearch/jsonmapper (affected versions not specified)

Description The issue allows an attacker to crash PocketMine-MP by sending malformed JSON in the LoginPacket. This is due to the lack of validation in the netresearch/jsonmapper code, which can output improperly initialized objects. These objects may cause the code handling them in PocketMine-MP to crash because @required properties are not set within the objects. The JsonMapper does not respect bStrictObjectTypes when processing arrays, making it impossible to avoid the issue by disabling the feature.

Recommendations For PocketMine-MP, update the netresearch/jsonmapper to the version with the fix (pmmp/netresearch-jsonmapper@b96a209f9e8b76b899a0d0918493cd87eb3c02a7 and 6872661fd03649cc7a8762c41c16e9ee5a4de1c9). As a temporary workaround, consider restricting the input of malformed JSON in the LoginPacket to minimize the risk of exploitation. At the moment, there is no information about a newer version of PocketMine-MP that contains a fix for this vulnerability.