DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-F9JP-856V-8642: GHSA-F9JP-856V-8642: Race Condition and State Management Flaw Leading to Item Duplication in PocketMine-MP

#security #cve #cybersecurity #ghsa

GHSA-F9JP-856V-8642: Race Condition and State Management Flaw Leading to Item Duplication in PocketMine-MP

Vulnerability ID: GHSA-F9JP-856V-8642
CVSS Score: 3.7
Published: 2026-04-06

PocketMine-MP versions prior to 5.39.2 suffer from a race condition vulnerability in the entity lifecycle management system. A state synchronization delay between entity despawning and lookup table purging permits unauthorized concurrent interaction, leading to arbitrary item duplication.

TL;DR

A state-management flaw in PocketMine-MP allows attackers to duplicate items by attacking a disconnecting player during the split-second window before their entity is purged from the server's active lookup table.

⚠️ Exploit Status: WEAPONIZED

Technical Details

  • Vulnerability Type: Race Condition (TOCTOU)
  • CWE ID: CWE-362
  • Attack Vector: Network
  • CVSS Score: 3.7 (Low)
  • Exploit Status: Weaponized / In the Wild
  • Impact: Integrity Compromise (Item Duplication)

Affected Systems

  • PocketMine-MP (pocketmine/pocketmine-mp) prior to 5.39.2
  • Minecraft: Bedrock Edition private servers utilizing affected PocketMine-MP versions
  • pocketmine/pocketmine-mp: < 5.39.2 (Fixed in: 5.39.2)

Code Analysis

Commit: c0719b7

Add explicit state checks for despawning entities across packet handlers and world interactors

Mitigation Strategies

  • Upgrade PocketMine-MP to a minimum of version 5.39.2.
  • Implement an interim plugin-based event handler to intercept EntityDamageByEntityEvent operations against despawning entities.

Remediation Steps:

  1. Verify current PocketMine-MP version via server logs or console commands.
  2. Backup server data, including player inventories and world files, prior to updates.
  3. Update the composer dependencies or download the latest pocketmine/pocketmine-mp phar binary (version 5.39.2+).
  4. Restart the server service to load the updated core handlers.
  5. Monitor server logs for synchronous disconnect and death events indicating attempted exploitation.

References

Read the full report for GHSA-F9JP-856V-8642 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)