Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐘 Packagist

GHSA-fqx3-r75h-vc89

HIGH

Improperly checked IDs on itemstacks received from the client leading to server crash in PocketMine-MP

Published
Jun 7, 2022
Updated
Dec 26, 2025
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

Blast Radius

1 pkg affected
🐘pocketmine/pocketmine-mp

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.

Description

Impact

Due to a workaround for unmapped network items implemented in 4.0.0-BETA5 (8ac16345a3bc099b62c1f5cfbf3b736e621c3f76), arbitrary item IDs are able to be written into an item's NBT. The intended purpose of this is to make said unmapped network items able to be moved around the inventory without issues.

This led to an exploit due to internal limits on the range that item IDs can occupy (-32768 - 32767), while the tag type used to represent the replacement IDs for unknown items is a TAG_Int, allowing a range from -(2^31) - 2^31 - 1. This leads to an uncaught exception which crashes the server.

Patches

5fd685e07d61ef670584ed11a52fd5f4b99a81a7

Workarounds

In theory this can be checked by plugins using a custom TypeConverter, but this is likely to be very cumbersome.

For more information

If you have any questions or comments about this advisory:

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐘Packagistpocketmine/pocketmine-mp4.0.0-BETA5&&< 4.4.24.4.2

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for pocketmine/pocketmine-mp. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update pocketmine/pocketmine-mp to 4.4.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-fqx3-r75h-vc89 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-fqx3-r75h-vc89 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-fqx3-r75h-vc89. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Impact Due to a workaround for unmapped network items implemented in 4.0.0-BETA5 (8ac16345a3bc099b62c1f5cfbf3b736e621c3f76), arbitrary item IDs are able to be written into an item's NBT. The intended purpose of this is to make said unmapped network items able to be moved around the inventory without issues. This led to an exploit due to internal limits on the range that item IDs can occupy (-32768 - 32767), while the tag type used to represent the replacement IDs for unknown items is a `TAG_Int`, allowing a range from -(2^31) - 2^31 - 1. This leads to an uncaught exception which crashes t
O3 Security · Impact-Aware SCA

Is GHSA-fqx3-r75h-vc89 in your dependencies?

O3 detects GHSA-fqx3-r75h-vc89 across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works