Home > Vulnerability Database > WS-2023-0161

Mend.io Vulnerability Database

WS-2023-0161

Date: August 19, 2025

In pocketmine-mp before 4.18.0 a "mismatch" type InventoryTransactionPacket is sent by the client to request a resync of all currently open inventories. Since PocketMine-MP does not rate-limit these "mismatch" transactions, and the syncing of inventories is not deferred until, e.g. the end of the current tick, they can be used as a very cheap bandwidth multiplier by making the server send out many MB of data (network serialized inventory items can be very large, especially when dealing with large amounts of NBT). This is not currently known to have been exploited in the wild.

Language: PHP

Severity Score

6.5

Related Resources (5)

Url: https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-42qm-8v8m-m78c

Url: https://github.com/pmmp/PocketMine-MP/blob/4.18.0-ALPHA2/changelogs/4.18-alpha.md#4180-ALPHA2

Url: https://github.com/pmmp/PocketMine-MP

Url: https://github.com/pmmp/PocketMine-MP/commit/ca6d51498f12427a947467da8fcad7811418e6cc

Url: https://www.mend.io/vulnerability-database/WS-2023-0161

Severity Score

6.5

Weakness Type (CWE)

Uncontrolled Resource Consumption

CWE-400

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

WS-2023-0161

Date: August 19, 2025

Language: PHP

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?