Server reads in serialized NBT data for client determined ItemStacks.

Several exploits for minecraft rely on the ability to set NBT data for items when in creative mode. This is made possible through the the Creative action packet (Client -> Server) - in MCP this is known as

net.minecraft.network.play.client.CPacketCreativeInventoryAction

and in CraftBukkit

net.minecraft.server.PacketPlayInSetCreativeSlot

The problematic point is in the packet serializer. In MCP this is known as

net.minecraft.network.PacketBuffer#readItemStack():381

and in CraftBukkit

net.minecraft.server.PacketDataSerializer#__variable_char__()->ItemStack

The part where it reads the NBT tag is only necessary on the client, and can thus be omitted on the server. Leaving it on the server opens up the ability for players to place holograms, create items that can crash other players, and potentially many other unknown exploits.