Listen to this Post
The vulnerability arises because when an entity dies, it is flagged for despawn but remains in the World’s entity table, making it accessible via World->getEntity($entityId). This also applies to a player disconnecting. A network packet to attack an entity is processed without verifying if the entity is already flagged for despawning. This creates a race condition: if an attack is processed while the entity is in this flagged state, the death handler can execute multiple times. Consequently, loot and experience points (XP) are dropped repeatedly, leading to item duplication. To exploit this, two clients are required. Player A (victim) must have valuable items and exactly 1 HP. Player B (attacker) needs a weapon that deals at least 1 damage. The attack sequence is as follows: Player A stands near Player B, then initiates a disconnect. In the split-second before the disconnect completes, Player B attacks and kills Player A. The victim’s character dies server-side, dropping the inventory, which Player B collects. When Player A logs back in, they still possess the original items, while Player B retains the duplicated drops. The patch for this issue was implemented by adding checks for flagged-for-despawn entities in several affected locations. A cleaner solution would have been to modify the World’s entity access methods to exclude flagged entities, but this was considered too risky for the 5.x branch due to the significant internal changes required. A workaround for older versions involves plugins handling the EntityDamageByEntityEvent, checking if the victim entity is flagged for despawn, and cancelling the event accordingly.
Platform: PocketMine-MP
Version: 5.x
Vulnerability: Item duplication
Severity: Low
date: 2026-04-04
Prediction: 2026-04-11
Analytics under heading What Undercode Say:
The exploitation of this vulnerability relies on precise timing between a client disconnect and an attack. This race condition is a classic concurrency issue in server software where state changes are not atomic. The lack of a flag check in the attack handler allows the death event to be triggered multiple times before the entity is fully cleaned up. This issue is similar to other desynchronization bugs found in multiplayer game servers. The fix, while effective, highlights a trade-off between a complete architectural change (excluding flagged entities from queries) and a targeted patch. Server administrators should prioritize updating to the patched version or applying the plugin-based workaround to prevent economic disruption on their servers. The duplication method is straightforward and can be weaponized by malicious players to crash in-game economies.
!/bin/bash
PocketMine-MP server vulnerability check
This script checks if the server is vulnerable to GHSA-f9jp-856v-8642
echo "Checking PocketMine-MP version..."
Extract version from pocketmine.yml or version info
if [ -f "pocketmine.yml" ]; then
VERSION=$(grep "version:" pocketmine.yml | awk '{print $2}')
echo "Detected version: $VERSION"
if [[ "$VERSION" == "5.32.0" || "$VERSION" < "5.32.1" ]]; then
echo "Vulnerable version detected. Please update to 5.32.1 or higher."
else
echo "Version appears patched."
fi
else
echo "pocketmine.yml not found. Manual verification required."
fi
Exploit:
1. Prerequisites:
- Two Minecraft Bedrock clients (Player A and Player B).
- Player A’s health reduced to 1 HP.
- Player B equipped with any damage-dealing weapon.
- Player A carrying valuable items to duplicate.
2. Execution:
- Player A and Player B stand adjacent in the game world.
- Player A initiates the disconnect sequence (e.g., clicking “Disconnect”).
- Within a few milliseconds, Player B attacks and kills Player A.
- Player A’s death is processed server-side, dropping the inventory.
- Player B collects the dropped items.
- Player A logs back into the server, still possessing the original items.
- The duplication is complete.
Protection from this CVE
- Update to the latest version: The official patch was merged in commit
c0719b7. Ensure your server is running PocketMine-MP version 5.32.1 or any later version that includes this fix. - Apply the plugin-based workaround: For servers that cannot be updated immediately, install a plugin that listens to the
EntityDamageByEntityEvent. The plugin should check if the victim entity is flagged for despawn ($entity->isFlaggedForDespawn()) and cancel the event if true. This prevents the death handler from being triggered on a despawn-bound entity. - Network Monitoring: Monitor server logs for rapid disconnect-reconnect patterns combined with PvP events, as this may indicate an attempted exploit.
Impact
- Economic Disruption: Attackers can duplicate any item, including rare and valuable ones, leading to severe inflation and devaluation of in-game currency and items.
- Server Instability: The repeated execution of death handlers can cause increased server load and potential memory leaks if the issue is triggered frequently.
- Loss of Player Trust: Exploitation of this vulnerability can undermine the fairness of the game, leading to player dissatisfaction and server abandonment.
- Exploit Propagation: The simplicity of the duplication method makes it easy for malicious players to share and replicate, causing widespread economic damage across vulnerable servers.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

