CVE-2025-62784
- Source
- https://cve.org/CVERecord?id=CVE-2025-62784
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62784.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-62784
- Aliases
- Published
- 2025-10-27T20:59:22.085Z
- Modified
- 2026-04-12T18:47:03.271999Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N CVSS Calculator
- Summary
- InventoryGui allows item duplication in GUIs which use GuiStorageElement
- Details
-
InventoryGui is a library for creating chest GUIs for Bukkit/Spigot plugins. Versions before 1.6.5 contain a vulnerability where any plugin using a GUI with the GuiStorageElement and allows taking out items out of that element can allow item duplication when the experimental Bundle item feature is enabled on the server. The vulnerability is resolved in version 1.6.5.
- Database specific
{ "cwe_ids": [ "CWE-837" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62784.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62784.json
- https://github.com/Phoenix616/InventoryGui/security/advisories/GHSA-7whh-79j3-7c55
- https://nvd.nist.gov/vuln/detail/CVE-2025-62784
- https://github.com/Phoenix616/InventoryGui/commit/690fc91d137c6cc04f6ed3a89449050964dd8cb9
Affected packages
Git / github.com/phoenix616/inventorygui
Affected ranges
- Type
- GIT
- Repo
- https://github.com/phoenix616/inventorygui
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Database specific
vanir_signatures_modified
"2026-04-12T18:47:03Z"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.5"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.5"
}
]
}
]
vanir_signatures
[
{
"source": "https://github.com/phoenix616/inventorygui/commit/690fc91d137c6cc04f6ed3a89449050964dd8cb9",
"target": {
"file": "src/main/java/de/themoep/inventorygui/InventoryGui.java"
},
"id": "CVE-2025-62784-1af88b18",
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"197458983419255916039819442273460511750",
"311487646144608252098944941922052276349",
"327763901248097851781940266056776404019",
"194136928868373176170496100362315972825",
"221408038028454079369015925231854540479",
"220517556265272777011716637145756079621",
"149292611814604454245114879416886157146",
"86679739359874918286177789169898090931",
"335255367170683306995344260457531773472",
"333945522953884944265828769744674426840",
"307255627990358800840002705880269269097",
"43332307589140763509739085399246807662",
"260827053579547019950819428118274950027",
"270074173335701386616620637029216211427",
"27877145683041370853234030097949063550",
"89704384154195202476899689810697811612",
"168472324686647915200581814188226999818",
"152055260360034110496521174412182331031",
"300255766283152659730887658709774959479",
"152931320092231555013413661175565790592",
"11636510966843430315397123597936220966",
"277864312130226813409327619072708013113",
"21632069445242113994901276086701048132",
"267025014062442033790744553824829660491",
"325757831834416767975520660404779123471",
"123735762917066867393162803453620288513",
"219951074718056068543002790336927149249",
"185989721001066125365688279240750558966",
"127504696215960127307882920864726007990",
"188115836650735909148254867013962860021",
"72357570528990211644755831249365261322",
"127758854209429848641658676762269417391",
"23318332290211443066504140509859215304",
"73242152921303568876057067098107395954",
"108587633537507210242609878158511307392",
"54861354965306343528369348864762375019",
"20600054169014422297474536912905873519",
"142006446931596507442698471793381842512",
"337630811218951158866941415992526356821",
"312294003267785230503847873064079744401",
"110931039064653331023417034061322610074",
"193921484059142868930424034427429472102",
"156786731269451960477555550582401867341",
"117879901928556563471061295842905335967",
"333618442964767929645880221061288969965",
"314874428477269955563788151541809106891"
],
"threshold": 0.9
}
},
{
"source": "https://github.com/phoenix616/inventorygui/commit/690fc91d137c6cc04f6ed3a89449050964dd8cb9",
"target": {
"function": "onInventoryClose",
"file": "src/main/java/de/themoep/inventorygui/InventoryGui.java"
},
"id": "CVE-2025-62784-2cb6c8b6",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "95849670902559062520616752001510581124",
"length": 1025.0
}
},
{
"source": "https://github.com/phoenix616/inventorygui/commit/690fc91d137c6cc04f6ed3a89449050964dd8cb9",
"target": {
"function": "draw",
"file": "src/main/java/de/themoep/inventorygui/InventoryGui.java"
},
"id": "CVE-2025-62784-41d7810a",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "58459925889748065563392906260840622269",
"length": 106.0
}
},
{
"source": "https://github.com/phoenix616/inventorygui/commit/690fc91d137c6cc04f6ed3a89449050964dd8cb9",
"target": {
"function": "GuiStorageElement",
"file": "src/main/java/de/themoep/inventorygui/GuiStorageElement.java"
},
"id": "CVE-2025-62784-89d4d4e7",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "179867549077058912586811792340590488900",
"length": 4136.0
}
},
{
"source": "https://github.com/phoenix616/inventorygui/commit/690fc91d137c6cc04f6ed3a89449050964dd8cb9",
"target": {
"function": "storeItems",
"file": "src/main/java/de/themoep/inventorygui/InventoryGui.java"
},
"id": "CVE-2025-62784-b9e21c75",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "262588158290255052542402014939221864972",
"length": 331.0
}
},
{
"source": "https://github.com/phoenix616/inventorygui/commit/690fc91d137c6cc04f6ed3a89449050964dd8cb9",
"target": {
"function": "setPageNumber",
"file": "src/main/java/de/themoep/inventorygui/InventoryGui.java"
},
"id": "CVE-2025-62784-c6f88daf",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "159887109549241191730018459169930710501",
"length": 205.0
}
},
{
"source": "https://github.com/phoenix616/inventorygui/commit/690fc91d137c6cc04f6ed3a89449050964dd8cb9",
"target": {
"file": "src/main/java/de/themoep/inventorygui/GuiStorageElement.java"
},
"id": "CVE-2025-62784-eb44c64f",
"signature_type": "Line",
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"145666348224457169577786363403626018755",
"277121695498207738614204291520251990093",
"532046246256584063689154473322610383",
"132885952874961020493774505239742055334",
"9678196761791430039048125431032498026",
"245590383563421265047609592096464922305",
"121267563453505570007974800701173224199",
"38053253862045733249391007200510192864",
"177572478348588656183351449834444854338",
"154656941767340999548390627664431860103",
"260792419478276383089278586263636899950",
"204371833959874232885142193760927569604",
"301485131542238720915266803390767869975",
"238447140257251989287174730123434912540",
"215911959967955755110121073107167997229",
"238872308887137096337545398367520070886",
"244314597185275193978580582016050572357",
"175668730634315330855052524540314867937",
"146118631943895934375991551982883100398",
"272872890560805896453978483498922713592",
"187971511535931750680751027815667387573",
"10359800632711345396009792738689821767",
"147270906282257256577275636801867740888",
"202394297138874945965813651700518276730",
"279537337609023842897834930102772616688",
"306748985937582452110861321051429079625",
"102251606459163040919740582042045947577",
"207437030340860831571201096857825332813",
"152763349138741691275127304869019755291",
"108384684809500150328482593885470509426",
"160821936847369761449619720102216230035",
"246202188399778363335188104230911772467",
"202073507276444133018539294132438437896",
"285824220384578869221906404465637006202",
"241212838967942510421359765704193335900",
"132862945134704508887485372458249218777",
"43502194979466435636867697445254459160",
"210411453793581763819312020850076257118",
"278217623072793497623276687698289552480",
"265903951524176637954782285439505948403",
"33961765013773613367488763215109991468",
"237124695413883747223139450500552716653",
"317796390504417552418285340846290720582",
"232833000529802396642572684887196248891",
"273873710529109066498624135926162512126",
"205007209157066597898585144809242566176",
"290183994315631071379832616650328986793",
"137185720440324786254732642451083734378",
"75763852210144606663218644558299939992",
"29622337739203127904272038214879382524",
"209694833563064592638982307835672049918",
"167781487439293418203014234483813200035",
"286863816017690050028396844569232716174",
"11292674979385127947762448338927151683",
"195968672227811395912313984458852765364",
"197243802296188197777757856852240455900",
"235168337056813055838687851934873060428",
"144680183143394241781030225388916719248",
"335812225788148215726708618742350617152",
"65762424837997367732990912558090288755",
"106622393235371003519118701751005397032",
"120149299297667546254476430872950557014",
"146480518080041971564775966940278005238",
"85627428944513995934125549271025327880",
"74064299129585430239851448912885804812",
"159724450763695836585183721809520262085",
"188181180425858916611054417442454321862",
"83696664752122295487398807084746307866",
"167665340310724225559873967355400706082",
"11852266773843383078123183166648285995",
"323584832205218159664095277299805711620",
"311514992758885386217123091022321763329",
"14189195463769591364806343149401268432",
"233065998417574319664994874548650134793"
],
"threshold": 0.9
}
},
{
"source": "https://github.com/phoenix616/inventorygui/commit/690fc91d137c6cc04f6ed3a89449050964dd8cb9",
"target": {
"function": "draw",
"file": "src/main/java/de/themoep/inventorygui/InventoryGui.java"
},
"id": "CVE-2025-62784-ee0b2b95",
"signature_type": "Function",
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "204109660463608615108427520380195217290",
"length": 861.0
}
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62784.json"