#VU125429 Insufficient Control of Network Message Volume in PocketMine-MP
Published: April 8, 2026
Vulnerability identifier: #VU125429
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-406
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
PocketMine-MP
PocketMine-MP
Software vendor:
PMMP
PMMP
Description
The vulnerability allows a remote user to cause network amplification and modify game state visible to other clients.
The vulnerability exists due to insufficient control of network message volume in ActorEventPacket handling when processing client-supplied ActorEventPacket messages. A remote user can send specially crafted ActorEventPacket messages to cause network amplification and modify game state visible to other clients.
For each packet sent by the user, an animation event is broadcast to every other player the user is visible to, and the issue can also waste server CPU and memory.
Remediation
Install security update from vendor's website.