Main Vulnerability Database Vulnerabilities #VU125430

#VU125430 Time-of-check Time-of-use (TOCTOU) Race Condition in PocketMine-MP

Published: April 8, 2026

Vulnerability identifier: #VU125430

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-367

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
PocketMine-MP

Software vendor:
PMMP

Description

The vulnerability allows a remote attacker to duplicate items and XP drops.

The vulnerability exists due to improper state validation in the entity attack handler when processing attack packets for entities marked for despawn. A remote attacker can send a timed attack against a player entity during disconnect handling to duplicate items and XP drops.

Exploitation requires precise timing during the short interval after the target player has initiated disconnect and before the entity is removed from the world's entity table.

Remediation

Install security update from vendor's website.

External links

https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-f9jp-856v-8642

#VU125430 Time-of-check Time-of-use (TOCTOU) Race Condition in PocketMine-MP

Description

Remediation

External links

Please verify you're human