Explanation

The server-side handling of FillRecipeC2SPacket does not sanity-check the size of stacks sent from the client.

In normal gameplay this is not cause for concern, as the max stack size of output stacks is checked on the client before sending a FillRecipeC2SPacket to the server. However, the vulnerability still exists and can be abused by a malicious client, allowing the player to stack items past the value of their minecraft:max_stack_size component.

Evidence

This is a clip of:

• How this normally doesn't happen. Even when you might have enough of an item to stack past its limit while crafting, the stack size is regulated on the client.
• An example of how a client-sided mod can abuse this vulnerability to stack items past their regular max stack size, using a client mod I created for this issue (which I will not upload here as this is a genuine vulnerability; if the EMI devs want a copy of the mod, contact me somewhere private)

Environment

This happens in both singleplayer and dedicated server environments.

Mods used in the example video.

Thanks for discovering this, should be fixed in 1.1.21