Vulnerability Database
296,760
Total vulnerabilities in the database
Book page text, count, and author/title length is not limited in PocketMine-MP
Impact
Players can fill book pages with as many characters as they like; the server does not check this. In addition, the maximum of 50 pages is also not enforced, meaning that players can create "book bombs".
This causes a variety of problems:
- Oversized NBT on the wire costing excess bandwidth for server and client
- Server crashes when saving region-based worlds due to exceeding maximum chunk size of 1 MB (PM3-specific)
- Server crashes if any book page exceeds 32 KiB (due to TAG_String size limit) (PM4-specific)
This does, however, require that an attacker obtain a writable book in the first place in order to exploit the problem.
Patches
The bug has been fixed in 3.26.5 and 4.0.5.
Workarounds
Ban writable books, or use a plugin to cancel PlayerEditBookEvent to cancel the event if strlen(text) > 1024 || mb_strlen(text) > 256.
For more information
If you have any questions or comments about this advisory:
- Email us at team@pmmp.io
| Software | From | Fixed in |
|---|---|---|
pocketmine / pocketmine-mp
|
- | 3.26.5 |
|
pocketmine / pocketmine-mp
|
4.0.0 | 4.0.5 |
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime