Summary
Offline players can crash the server, even if offline mode is disabled.
Details
If a player joins without Xbox authentication, the server throws this error:
[Server thread/CRITICAL]: Error: "Typed property pocketmine\network\mcpe\protocol\types\login\AuthenticationInfo::$Certificate must not be accessed before initialization"
The issue happens during the login process before the player is fully rejected.
This happened because the @required annotation was removed from the Certificate field in AuthenticationInfo, without accounting for this change on the PM side. This caused unauthenticated players (who no longer provide the Certificate field) to trigger a server crash due to the field being uninitialized.
PoC
- Join using a client without Xbox authentication.
- The server throws the error above and may crash.
Impact
Any unauthenticated player can remotely crash.
- No authentication required
- Affects public servers
- Can be abused repeatedly
Patches
The issue was fixed with e4aaef4 and 8c75a1d.
kostamax27 Reporter
dktapps Remediation developer
Summary
Offline players can crash the server, even if offline mode is disabled.
Details
If a player joins without Xbox authentication, the server throws this error:
The issue happens during the login process before the player is fully rejected.
This happened because the
@requiredannotation was removed from theCertificatefield inAuthenticationInfo, without accounting for this change on the PM side. This caused unauthenticated players (who no longer provide theCertificatefield) to trigger a server crash due to the field being uninitialized.PoC
Impact
Any unauthenticated player can remotely crash.
Patches
The issue was fixed with e4aaef4 and 8c75a1d.