CVE-2023-7332
HIGHPocketMine-MP < 4.18.1 - Denial of Service via Inventory Transaction Handling
Title source: llmDescription
PocketMine-MP versions prior to 4.18.1 contain an improper input validation vulnerability in inventory transaction handling. A remote attacker with a valid player session can request that the server drop more items than are available in the player's hotbar, triggering a server crash and resulting in denial of service.
References (4)
Core 4
Core References
Various Sources release-notes
patch
https://github.com/pmmp/PocketMine-MP/blob/4.18.1/changelogs/4.18.md
Vendor Advisory vendor-advisory
https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-h87r-f4vc-mchv
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/pocketmine-mp-improper-validation-of-dropped-item-count-allows-remote-server-crash
Scores
CVSS v4
7.1
EPSS
0.0036
EPSS Percentile
27.7%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-1284
Status
published
Products (2)
pmmp/PocketMine-MP
< 4.18.1
pocketmine/pocketmine-mp
0 - 4.18.1Packagist
Published
Dec 31, 2025
Tracked Since
Feb 18, 2026