Name of the Vulnerable Software and Affected Versions PocketMine-MP versions prior to the version containing commit c8e1cfcbee4945fd4b63d2a7e96025c59744d4f1

Description The issue arises from a workaround applied in version 1.13, allowing an attacker to send a negative damage or meta value in a tool or armor item's NBT. The TypeConverter then uses this value without validation, leading to an exception when it reaches Durable->setDamage(), as the metadata is outside the expected range for damage values. This can be triggered with either a too-large damage value or a negative one.

Recommendations For versions prior to the one containing commit c8e1cfcbee4945fd4b63d2a7e96025c59744d4f1, consider using a custom TypeConverter in plugins to validate metadata values, although this may be cumbersome. At the moment, there is no information about a newer version that contains a fix for this vulnerability.