{"id":"CVE-2025-62782","summary":"InventoryGUI vulnerable to item duplication via Bundle items when using GuiStorageElement","details":"InventoryGui is a library for creating chest GUIs for Bukkit/Spigot plugins. Versions 1.6.3-SNAPSHOT and earlier contain a vulnerability where GUIs using GuiStorageElement can allow item duplication when the experimental Bundle item feature is enabled on the server. The vulnerability is resolved in version 1.6.4-SNAPSHOT.","aliases":["GHSA-rgvh-4m82-fvjq"],"modified":"2026-04-12T18:47:02.970168Z","published":"2025-10-27T20:50:07.579Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62782.json","cwe_ids":["CWE-837"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62782.json"},{"type":"ADVISORY","url":"https://github.com/Phoenix616/InventoryGui/security/advisories/GHSA-rgvh-4m82-fvjq"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62782"},{"type":"REPORT","url":"https://github.com/Phoenix616/InventoryGui/issues/51"},{"type":"FIX","url":"https://github.com/Phoenix616/InventoryGui/commit/00e684bd689ebc60bcb5b83ce4ef3c5a01778494"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/phoenix616/inventorygui","events":[{"introduced":"0"},{"fixed":"00e684bd689ebc60bcb5b83ce4ef3c5a01778494"}]}],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"1.6.4"}]}],"vanir_signatures_modified":"2026-04-12T18:47:02Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62782.json","vanir_signatures":[{"signature_type":"Line","deprecated":false,"target":{"file":"src/main/java/de/themoep/inventorygui/GuiStorageElement.java"},"signature_version":"v1","digest":{"line_hashes":["145666348224457169577786363403626018755","311816063490963696316923048496413969947","257607004341042734467718713882600346852","232723257273469902966993632982184475534","295361484767764038626680623991642539786","235418723405078612679866754834593741372","162185252850738148297954695806917686882","121685592874858552632345617394638618408"],"threshold":0.9},"id":"CVE-2025-62782-073fba43","source":"https://github.com/phoenix616/inventorygui/commit/00e684bd689ebc60bcb5b83ce4ef3c5a01778494"},{"signature_type":"Function","deprecated":false,"target":{"function":"GuiStorageElement","file":"src/main/java/de/themoep/inventorygui/GuiStorageElement.java"},"signature_version":"v1","digest":{"length":4016,"function_hash":"174944923324403684357817921654350894557"},"id":"CVE-2025-62782-d9124177","source":"https://github.com/phoenix616/inventorygui/commit/00e684bd689ebc60bcb5b83ce4ef3c5a01778494"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:L/SC:N/SI:L/SA:L"}]}