[Bug] State bag replication allows arbitrary model spawning via progressProps (client→all replication exploit

[the-big-gs]

Describe the bug
When LocalPlayer.state:set('lib:progressProps', bigProps, true) is used, the state bag replication behavior causes every nearby client to receive and execute the same data leading to mass model spawning on all clients.

because ox_lib progress props (lib:progressProps) rely on normal state bag synchronization, a malicious client can push a large payload of fake props, causing other players’ clients to create hundreds of entities

To Reproduce
Steps to reproduce the behavior:

1. Create a script that sets a replicated state with a large props table, e.g.:

local bigProps = {}
for i = 1, 600 do
    table.insert(bigProps, {
        model = "p_spinning_anus_s",
        pos = vector3(0.0, 0.0, 0.0),
        rot = vector3(0.0, 0.0, 0.0),
        bone = 0
    })
end
LocalPlayer.state:set('lib:progressProps', bigProps, true)

2. Join the server with at least one other player (non-strict mode)..
3. Trigger the script.
4. Observe that all players nearby start spawning the same models client-side.

Expected behavior
Only the local player who triggers the progress bar should spawn props or run the progress animation.
Other clients should never receive or replicate that state automatically.

Impact
A malicious player can spam hundreds of spawned props for all clients
Causes massive FPS drops and potential client crashes
Works on any server that doesn’t use strict mode

[Maximus7474]

Other clients should never receive or replicate that state automatically.

Incorrect, this is in place so that other clients also display the props as they are created as none networked. I've started messing with changes for this to allow it to work with strict nui statebags while also having some extra protection clientside, by having a maximum amount of props that can be set via convar.

[antond15]

Fixed in #56 / #58.