Main Vulnerability Database Vulnerabilities #VU125430

Time-of-check Time-of-use (TOCTOU) Race Condition in PocketMine-MP - #VU125430

Published: April 8, 2026

Vulnerability identifier: #VU125430

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-367

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: PMMP

Affected software:
PocketMine-MP

Detailed vulnerability description

The vulnerability allows a remote attacker to duplicate items and XP drops.

The vulnerability exists due to improper state validation in the entity attack handler when processing attack packets for entities marked for despawn. A remote attacker can send a timed attack against a player entity during disconnect handling to duplicate items and XP drops.

Exploitation requires precise timing during the short interval after the target player has initiated disconnect and before the entity is removed from the world's entity table.

Remediation

Install security update from vendor's website.

Sources

https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-f9jp-856v-8642

Time-of-check Time-of-use (TOCTOU) Race Condition in PocketMine-MP - #VU125430

Detailed vulnerability description

Remediation

Sources

Please verify you're human