CVE-2025-62782

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-62782

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62782.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-62782

Aliases

GHSA-rgvh-4m82-fvjq

Published

2025-10-27T20:50:07.579Z

Modified

2026-04-12T18:47:02.970168Z

Severity

5.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:L/SC:N/SI:L/SA:L CVSS Calculator

Summary

InventoryGUI vulnerable to item duplication via Bundle items when using GuiStorageElement

Details

InventoryGui is a library for creating chest GUIs for Bukkit/Spigot plugins. Versions 1.6.3-SNAPSHOT and earlier contain a vulnerability where GUIs using GuiStorageElement can allow item duplication when the experimental Bundle item feature is enabled on the server. The vulnerability is resolved in version 1.6.4-SNAPSHOT.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62782.json",
    "cwe_ids": [
        "CWE-837"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/phoenix616/inventorygui

Affected ranges

Type: GIT
Repo: https://github.com/phoenix616/inventorygui
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

00e684bd689ebc60bcb5b83ce4ef3c5a01778494

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "1.6.4"
            }
        ]
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62782.json"

vanir_signatures_modified

"2026-04-12T18:47:02Z"

vanir_signatures

[
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "145666348224457169577786363403626018755",
                "311816063490963696316923048496413969947",
                "257607004341042734467718713882600346852",
                "232723257273469902966993632982184475534",
                "295361484767764038626680623991642539786",
                "235418723405078612679866754834593741372",
                "162185252850738148297954695806917686882",
                "121685592874858552632345617394638618408"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "id": "CVE-2025-62782-073fba43",
        "signature_version": "v1",
        "source": "https://github.com/phoenix616/inventorygui/commit/00e684bd689ebc60bcb5b83ce4ef3c5a01778494",
        "target": {
            "file": "src/main/java/de/themoep/inventorygui/GuiStorageElement.java"
        }
    },
    {
        "digest": {
            "length": 4016.0,
            "function_hash": "174944923324403684357817921654350894557"
        },
        "deprecated": false,
        "signature_type": "Function",
        "id": "CVE-2025-62782-d9124177",
        "signature_version": "v1",
        "source": "https://github.com/phoenix616/inventorygui/commit/00e684bd689ebc60bcb5b83ce4ef3c5a01778494",
        "target": {
            "function": "GuiStorageElement",
            "file": "src/main/java/de/themoep/inventorygui/GuiStorageElement.java"
        }
    }
]