Login Sign Up

CVE-2025-62783

5.0 MEDIUM

📋 TL;DR

InventoryGui library versions 1.6.1-SNAPSHOT and earlier contain a vulnerability that allows item duplication in Minecraft servers when the experimental Bundle item feature is enabled. This affects any Bukkit/Spigot plugin using the GuiStorageElement functionality. Server administrators using vulnerable versions with Bundle items enabled are at risk.

💻 Affected Systems

Products:
  • InventoryGui library for Bukkit/Spigot plugins
Versions: 1.6.1-SNAPSHOT and earlier
Operating Systems: Any OS running Bukkit/Spigot Minecraft servers
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when experimental Bundle item feature is enabled on the server. Many servers may not have this feature enabled by default.

📦 What is this software?

Inventorygui by Phoenix616

View all CVEs affecting Inventorygui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious players could duplicate valuable in-game items, causing severe economic disruption in server economies and potentially crashing servers through resource exhaustion.

🟠

Likely Case

Players discover and exploit the bug to duplicate items, leading to server economy inflation and unfair gameplay advantages.

🟢

If Mitigated

Limited impact with proper monitoring and quick response to suspicious item duplication reports.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires player access to GUI interfaces using GuiStorageElement and Bundle items enabled. No public exploit code has been released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.2-SNAPSHOT

Vendor Advisory: https://github.com/Phoenix616/InventoryGui/security/advisories/GHSA-598q-jw82-5w66

Restart Required: No

Instructions:

1. Update InventoryGui dependency to version 1.6.2-SNAPSHOT or later. 2. Rebuild/update any plugins using InventoryGui. 3. No server restart required for library updates in most cases.

🔧 Temporary Workarounds

Disable Bundle Items

all

Disable the experimental Bundle item feature in server configuration

Set 'enable-bundle-items' to false in server.properties or relevant config file

🧯 If You Can't Patch

  • Disable experimental Bundle item feature in server configuration
  • Monitor server logs for unusual item duplication patterns and investigate player reports

🔍 How to Verify

Check if Vulnerable:

Check if InventoryGui version is 1.6.1-SNAPSHOT or earlier AND Bundle items are enabled in server configuration

Check Version:

Check plugin.yml or library manifest for InventoryGui version

Verify Fix Applied:

Verify InventoryGui version is 1.6.2-SNAPSHOT or later, or confirm Bundle items are disabled

📡 Detection & Monitoring

Log Indicators:

  • Unusual item duplication patterns in server logs
  • Multiple identical item transactions in quick succession
  • Player reports of item duplication

Network Indicators:

  • N/A - this is a server-side game mechanic vulnerability

SIEM Query:

Search for patterns of identical item IDs being created multiple times in short timeframes

📊 Metadata

CVE ID: CVE-2025-62783
CVSS v3 Score: 5.0 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
CWE: CWE-837
EPSS Score: 0.04% exploit probability (11th percentile)
Published: October 27, 2025
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62783, you might also want to check these:

CVE-2024-11301 6.5

This vulnerability allows attackers to overwrite existing evaluator data by submitting POST requests...

Same vulnerability type (CWE-837)
CVE-2025-62782 5.3

InventoryGui library versions 1.6.3-SNAPSHOT and earlier contain a vulnerability that allows item du...

Same vulnerability type (CWE-837)
CVE-2025-62784 5.3

This vulnerability allows item duplication in Minecraft servers using the InventoryGui library when ...

Same vulnerability type (CWE-837)