{"id":"CVE-2025-62784","summary":"InventoryGui allows item duplication in GUIs which use GuiStorageElement","details":"InventoryGui is a library for creating chest GUIs for Bukkit/Spigot plugins. Versions before 1.6.5 contain a vulnerability where any plugin using a GUI with the GuiStorageElement and allows taking out items out of that element can allow item duplication when the experimental Bundle item feature is enabled on the server. The vulnerability is resolved in version 1.6.5.","aliases":["GHSA-7whh-79j3-7c55"],"modified":"2026-04-12T18:47:03.271999Z","published":"2025-10-27T20:59:22.085Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62784.json","cwe_ids":["CWE-837"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62784.json"},{"type":"ADVISORY","url":"https://github.com/Phoenix616/InventoryGui/security/advisories/GHSA-7whh-79j3-7c55"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62784"},{"type":"FIX","url":"https://github.com/Phoenix616/InventoryGui/commit/690fc91d137c6cc04f6ed3a89449050964dd8cb9"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/phoenix616/inventorygui","events":[{"introduced":"0"},{"fixed":"690fc91d137c6cc04f6ed3a89449050964dd8cb9"}]}],"database_specific":{"vanir_signatures_modified":"2026-04-12T18:47:03Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"1.6.5"}]},{"events":[{"introduced":"0"},{"fixed":"1.6.5"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62784.json","vanir_signatures":[{"source":"https://github.com/phoenix616/inventorygui/commit/690fc91d137c6cc04f6ed3a89449050964dd8cb9","target":{"file":"src/main/java/de/themoep/inventorygui/InventoryGui.java"},"signature_version":"v1","id":"CVE-2025-62784-1af88b18","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["197458983419255916039819442273460511750","311487646144608252098944941922052276349","327763901248097851781940266056776404019","194136928868373176170496100362315972825","221408038028454079369015925231854540479","220517556265272777011716637145756079621","149292611814604454245114879416886157146","86679739359874918286177789169898090931","335255367170683306995344260457531773472","333945522953884944265828769744674426840","307255627990358800840002705880269269097","43332307589140763509739085399246807662","260827053579547019950819428118274950027","270074173335701386616620637029216211427","27877145683041370853234030097949063550","89704384154195202476899689810697811612","168472324686647915200581814188226999818","152055260360034110496521174412182331031","300255766283152659730887658709774959479","152931320092231555013413661175565790592","11636510966843430315397123597936220966","277864312130226813409327619072708013113","21632069445242113994901276086701048132","267025014062442033790744553824829660491","325757831834416767975520660404779123471","123735762917066867393162803453620288513","219951074718056068543002790336927149249","185989721001066125365688279240750558966","127504696215960127307882920864726007990","188115836650735909148254867013962860021","72357570528990211644755831249365261322","127758854209429848641658676762269417391","23318332290211443066504140509859215304","73242152921303568876057067098107395954","108587633537507210242609878158511307392","54861354965306343528369348864762375019","20600054169014422297474536912905873519","142006446931596507442698471793381842512","337630811218951158866941415992526356821","312294003267785230503847873064079744401","110931039064653331023417034061322610074","193921484059142868930424034427429472102","156786731269451960477555550582401867341","117879901928556563471061295842905335967","333618442964767929645880221061288969965","314874428477269955563788151541809106891"]},"deprecated":false},{"source":"https://github.com/phoenix616/inventorygui/commit/690fc91d137c6cc04f6ed3a89449050964dd8cb9","target":{"function":"onInventoryClose","file":"src/main/java/de/themoep/inventorygui/InventoryGui.java"},"signature_version":"v1","id":"CVE-2025-62784-2cb6c8b6","signature_type":"Function","digest":{"function_hash":"95849670902559062520616752001510581124","length":1025},"deprecated":false},{"source":"https://github.com/phoenix616/inventorygui/commit/690fc91d137c6cc04f6ed3a89449050964dd8cb9","target":{"function":"draw","file":"src/main/java/de/themoep/inventorygui/InventoryGui.java"},"signature_version":"v1","id":"CVE-2025-62784-41d7810a","signature_type":"Function","digest":{"function_hash":"58459925889748065563392906260840622269","length":106},"deprecated":false},{"source":"https://github.com/phoenix616/inventorygui/commit/690fc91d137c6cc04f6ed3a89449050964dd8cb9","target":{"function":"GuiStorageElement","file":"src/main/java/de/themoep/inventorygui/GuiStorageElement.java"},"signature_version":"v1","id":"CVE-2025-62784-89d4d4e7","signature_type":"Function","digest":{"function_hash":"179867549077058912586811792340590488900","length":4136},"deprecated":false},{"source":"https://github.com/phoenix616/inventorygui/commit/690fc91d137c6cc04f6ed3a89449050964dd8cb9","target":{"function":"storeItems","file":"src/main/java/de/themoep/inventorygui/InventoryGui.java"},"signature_version":"v1","id":"CVE-2025-62784-b9e21c75","signature_type":"Function","digest":{"function_hash":"262588158290255052542402014939221864972","length":331},"deprecated":false},{"source":"https://github.com/phoenix616/inventorygui/commit/690fc91d137c6cc04f6ed3a89449050964dd8cb9","target":{"function":"setPageNumber","file":"src/main/java/de/themoep/inventorygui/InventoryGui.java"},"signature_version":"v1","id":"CVE-2025-62784-c6f88daf","signature_type":"Function","digest":{"function_hash":"159887109549241191730018459169930710501","length":205},"deprecated":false},{"source":"https://github.com/phoenix616/inventorygui/commit/690fc91d137c6cc04f6ed3a89449050964dd8cb9","target":{"file":"src/main/java/de/themoep/inventorygui/GuiStorageElement.java"},"signature_version":"v1","id":"CVE-2025-62784-eb44c64f","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["145666348224457169577786363403626018755","277121695498207738614204291520251990093","532046246256584063689154473322610383","132885952874961020493774505239742055334","9678196761791430039048125431032498026","245590383563421265047609592096464922305","121267563453505570007974800701173224199","38053253862045733249391007200510192864","177572478348588656183351449834444854338","154656941767340999548390627664431860103","260792419478276383089278586263636899950","204371833959874232885142193760927569604","301485131542238720915266803390767869975","238447140257251989287174730123434912540","215911959967955755110121073107167997229","238872308887137096337545398367520070886","244314597185275193978580582016050572357","175668730634315330855052524540314867937","146118631943895934375991551982883100398","272872890560805896453978483498922713592","187971511535931750680751027815667387573","10359800632711345396009792738689821767","147270906282257256577275636801867740888","202394297138874945965813651700518276730","279537337609023842897834930102772616688","306748985937582452110861321051429079625","102251606459163040919740582042045947577","207437030340860831571201096857825332813","152763349138741691275127304869019755291","108384684809500150328482593885470509426","160821936847369761449619720102216230035","246202188399778363335188104230911772467","202073507276444133018539294132438437896","285824220384578869221906404465637006202","241212838967942510421359765704193335900","132862945134704508887485372458249218777","43502194979466435636867697445254459160","210411453793581763819312020850076257118","278217623072793497623276687698289552480","265903951524176637954782285439505948403","33961765013773613367488763215109991468","237124695413883747223139450500552716653","317796390504417552418285340846290720582","232833000529802396642572684887196248891","273873710529109066498624135926162512126","205007209157066597898585144809242566176","290183994315631071379832616650328986793","137185720440324786254732642451083734378","75763852210144606663218644558299939992","29622337739203127904272038214879382524","209694833563064592638982307835672049918","167781487439293418203014234483813200035","286863816017690050028396844569232716174","11292674979385127947762448338927151683","195968672227811395912313984458852765364","197243802296188197777757856852240455900","235168337056813055838687851934873060428","144680183143394241781030225388916719248","335812225788148215726708618742350617152","65762424837997367732990912558090288755","106622393235371003519118701751005397032","120149299297667546254476430872950557014","146480518080041971564775966940278005238","85627428944513995934125549271025327880","74064299129585430239851448912885804812","159724450763695836585183721809520262085","188181180425858916611054417442454321862","83696664752122295487398807084746307866","167665340310724225559873967355400706082","11852266773843383078123183166648285995","323584832205218159664095277299805711620","311514992758885386217123091022321763329","14189195463769591364806343149401268432","233065998417574319664994874548650134793"]},"deprecated":false},{"source":"https://github.com/phoenix616/inventorygui/commit/690fc91d137c6cc04f6ed3a89449050964dd8cb9","target":{"function":"draw","file":"src/main/java/de/themoep/inventorygui/InventoryGui.java"},"signature_version":"v1","id":"CVE-2025-62784-ee0b2b95","signature_type":"Function","digest":{"function_hash":"204109660463608615108427520380195217290","length":861},"deprecated":false}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"}]}