Moderate severityNVD Advisory· Published Oct 27, 2025· Updated Oct 28, 2025

InventoryGUI vulnerable to item duplication via Bundle items when using GuiStorageElement

CVE-2025-62782

Description

InventoryGui is a library for creating chest GUIs for Bukkit/Spigot plugins. Versions 1.6.3-SNAPSHOT and earlier contain a vulnerability where GUIs using GuiStorageElement can allow item duplication when the experimental Bundle item feature is enabled on the server. The vulnerability is resolved in version 1.6.4-SNAPSHOT.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

InventoryGui library <=1.6.3-SNAPSHOT allows item duplication via Bundle items in GuiStorageElement when the experimental Bundle feature is enabled.

Root

Cause

CVE-2025-62782 is a vulnerability in the InventoryGui library (versions 1.6.3-SNAPSHOT and earlier) that enables item duplication. The flaw exists in the GuiStorageElement class, which is used to create chest GUIs for Bukkit/Spigot plugins. Specifically, the library does not properly handle the experimental Minecraft "Bundle" item type. When the Bundle feature is enabled on the server, a player can interact with a GUI using a Bundle to trigger a state where items are duplicated, effectively creating copies of items without consuming the originals [1].

Exploitation

Exploitation requires that the server has the experimental Bundle item feature enabled (a non-default setting). An attacker must have access to a Bundle item and be able to interact with a GUI that uses GuiStorageElement. The attack does not require high privileges; any player with permissions to open the affected GUI can potentially trigger the duplication. The vulnerability can be triggered through right-click interactions that involve a Bundle item either in the cursor, slot, or storage element [2][4].

Impact

A successful exploit allows an attacker to duplicate items, which can disrupt server economies, inflate item inventories, and break gameplay balance. This duplication could be used repeatedly, leading to severe economic imbalance or resource hoarding on affected servers [1][2].

Mitigation

The vulnerability is patched in version 1.6.4-SNAPSHOT. The commit fixes the issue by explicitly blocking interactions involving Bundle items in storage elements, ensuring they cannot be added or emptied through the GUI [4]. Server administrators should update their InventoryGui dependency to version 1.6.4-SNAPSHOT or later. If immediate updating is not possible, disabling the experimental Bundle item feature on the server may serve as a workaround [1][2].

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
de.themoep:inventoryguiMaven	< 1.6.4-SNAPSHOT	1.6.4-SNAPSHOT

Affected products

InventoryGui/InventoryGuillm-fuzzy
Range: <=1.6.3-SNAPSHOT
Phoenix616/InventoryGuiv5
Range: < 1.6.4-SNAPSHOT

Patches

00e684bd689e

Block Bundle items adding/emptying in storage elements (#51)

https://github.com/Phoenix616/InventoryGuiPhoenix616Oct 21, 2024via ghsa

commit

1 file changed · +10 −0

src/main/java/de/themoep/inventorygui/GuiStorageElement.java+10 −0 modified

@@ -25,6 +25,7 @@
 import org.bukkit.ChatColor;
 import org.bukkit.Material;
 import org.bukkit.entity.HumanEntity;
+import org.bukkit.event.inventory.ClickType;
 import org.bukkit.event.inventory.InventoryClickEvent;
 import org.bukkit.inventory.Inventory;
 import org.bukkit.inventory.ItemStack;
@@ -100,6 +101,15 @@ public GuiStorageElement(char slotChar, Inventory storage, int invSlot, Runnable
             }
             ItemStack storageItem = getStorageItem(click.getWhoClicked(), click.getSlot());
             ItemStack slotItem = click.getRawEvent().getView().getTopInventory().getItem(click.getSlot());
+
+            if (click.getType() == ClickType.RIGHT && (
+                    click.getCursor() != null && click.getCursor().getType().getKey().getKey().contains("bundle")
+                            || storageItem != null && storageItem.getType().getKey().getKey().contains("bundle")
+                            || slotItem != null && slotItem.getType().getKey().getKey().contains("bundle"))) {
+                gui.draw(click.getWhoClicked(), false);
+                return true;
+            }
+
             if (slotItem == null && storageItem != null && storageItem.getType() != Material.AIR
                     || storageItem == null && slotItem != null && slotItem.getType() != Material.AIR
                     || storageItem != null && !storageItem.equals(slotItem)) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-rgvh-4m82-fvjqghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-62782ghsaADVISORY
github.com/Phoenix616/InventoryGui/commit/00e684bd689ebc60bcb5b83ce4ef3c5a01778494ghsax_refsource_MISCWEB
github.com/Phoenix616/InventoryGui/issues/51ghsax_refsource_MISCWEB
github.com/Phoenix616/InventoryGui/security/advisories/GHSA-rgvh-4m82-fvjqghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000