GHSA-h87r-f4vc-mchv: 
PHP vulnerability analysis and mitigation

A high-severity vulnerability (GHSA-h87r-f4vc-mchv) was discovered in PocketMine-MP versions prior to 4.18.1, affecting the network handling of inventories. The vulnerability was discovered and disclosed on May 30, 2023, and was patched in version 4.18.1. The issue allowed players to request dropping more items than they had available in their hotbar, which could lead to server crashes (GitHub Advisory).

The vulnerability was introduced in version 4.18.0 during a complete revamp of the network handling of inventories. It has a CVSS v3.1 score of 7.5 (High), with base metrics indicating Network attack vector, Low attack complexity, No privileges required, No user interaction needed, Unchanged scope, No impact on confidentiality and integrity, but High impact on availability. The technical vulnerability exists in the inventory transaction handling system where the server failed to properly validate the quantity of items being dropped against the available inventory (GitHub Advisory).

The primary impact of this vulnerability was the ability to crash the server through improper item dropping requests. While the vulnerability did not lead to any item duplication issues, it was reported to have been exploited in the wild, causing service disruptions for affected servers (GitHub Advisory).

The vulnerability was patched in version 4.18.1 through commit 58974765a68f63a9968a7ff3a06f584ff2ee08d2. While a workaround exists by handling InventoryTransactionPacket in DataPacketReceiveEvent and verifying item count drops, it is not recommended due to implementation complexity. The recommended solution is to upgrade to version 4.18.1 or later (PocketMine Changelog).