Vulnerability Database
296,760
Total vulnerabilities in the database
NaN/INF in serverbound movement packets can crash clients and servers
Impact
A malicious client may send a MovePlayerPacket to the server whose position or rotation contains NaN or INF. Since neither the server nor vanilla client handles this properly, a number of interesting side effects come into play.
- The server may crash in various ways if this exploit is used, because some mathematical operations on NaN/INF generate PHP warnings, which are converted into exceptions.
- Clients may not be able to see other clients who have a NaN/INF rotation.
- Clients may also crash in such cases.
Patches
A patch for this was included in the 3.18.1 release: https://github.com/pmmp/PocketMine-MP/commit/fb20bb38327b4c08ee3976640cd0dd547388a638
Workarounds
Workarounds could be implemented as plugins using DataPacketReceiveEvent to block any inbound movement packets containing bogus values.
For more information
If you have any questions or comments about this advisory:
- Open an issue in pmmp/PocketMine-MP
- Email us at team@pmmp.io
| Software | From | Fixed in |
|---|---|---|
pocketmine / pocketmine-mp
|
- | 3.18.1 |
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime