In several serverbound packets which query a block position a World#isBlockLoaded precondition is neglected enabling malicious packets to cause the generation of arbitrary chunks, consuming an excessive amount processing power and memory on the server:

• PacketRedstoneMode
• PacketMode
• PacketIoMode
• PacketItemBuffer
• PacketCapBank
• PacketClientState
• PacketAccessMode
• PacketOpenAuthGui (Consecutive call invokes World#getBlockState)
• PacketLabel
• PacketConduitProbe
• PacketOpenConduitUI

Most of the above packets could be utilizing MessageTileEntity which recently got this vulnerablity resolved. As well, many of these packets should be ensuring that the player is within reach distance.

PacketUpdateLocationPrintout enables a malicous client to add arbitrary items to their inventory due to a lack of server-side validation.

PacketDarkSteelPowerPacket enables the arbitrary mitigation of fall damage.
Note: very minor considering it is possible with a vanilla packet

PacketTravelEvent enables arbitrary teleportation due to the lack of server-side validation.

This report is targeted towards 1.10 but these issues exist in all versions which contain the specified classes.

The vanilla packets do indeed protect against arbitrary chuck generation.

Chunk loading attack? That's a new one. Does vanilla really protect against that?

PacketTravelEvent needs a complete rewrite of all travel-related code. It's been in the queue for ages, as nobody wants to touch those. I think the biggest stopper here is the server-side raytracing which has to match what the player sees.

• PacketRedstoneMode
• PacketMode
• PacketIoMode
• PacketItemBuffer
• PacketCapBank
• PacketClientState
• PacketAccessMode
• PacketOpenAuthGui
• PacketLabel
• PacketConduitProbe
• PacketOpenConduitUI
• PacketUpdateLocationPrintout
• PacketTravelEvent

I call this finished, as the PacketTravelEvent needs major rework.