CVE-2025-62784 – This vulnerability allows item duplication in M... (How to Fix)

Q: What is the severity of CVE-2025-62784?

CVE-2025-62784 has a CVSS score of 5.3 (MEDIUM). This vulnerability allows item duplication in Minecraft servers using the InventoryGui library when the experimental Bundle item feature is enabled. Any plugin using GuiStorageElement that permits item removal is affected, potentially disrupting server economies. The issue affects Bukkit/Spigot servers running vulnerable InventoryGui versions.

📋 TL;DR

This vulnerability allows item duplication in Minecraft servers using the InventoryGui library when the experimental Bundle item feature is enabled. Any plugin using GuiStorageElement that permits item removal is affected, potentially disrupting server economies. The issue affects Bukkit/Spigot servers running vulnerable InventoryGui versions.

💻 Affected Systems

Products:

InventoryGui library
Bukkit/Spigot plugins using InventoryGui

Versions: All versions before 1.6.5

Operating Systems: Any OS running Bukkit/Spigot server

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when experimental Bundle item feature is enabled on server.

📦 What is this software?

Inventorygui by Phoenix616

View all CVEs affecting Inventorygui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Massive item duplication could crash server economy, cause inventory corruption, and lead to server instability or crashes.

🟠

Likely Case

Limited item duplication by players exploiting the bug, causing minor economic disruption and requiring admin cleanup.

🟢

If Mitigated

No impact if Bundle feature is disabled or proper version is installed.

🌐 Internet-Facing: MEDIUM - Public servers with vulnerable plugins could be exploited by any player.

🏢 Internal Only: LOW - Private servers with trusted players have lower risk.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires player access to vulnerable GUI and Bundle feature enabled. No public exploit code known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.5

Vendor Advisory: https://github.com/Phoenix616/InventoryGui/security/advisories/GHSA-7whh-79j3-7c55

Restart Required: Yes

Instructions:

1. Update InventoryGui to version 1.6.5 or later. 2. Restart server. 3. Verify all plugins using InventoryGui are compatible with new version.

🔧 Temporary Workarounds

Disable Bundle feature

all

Disable experimental Bundle items in server configuration

Edit server.properties or bukkit.yml to disable bundle feature

Restrict GUI access

all

Limit player access to vulnerable GUIs using permissions

Use permission plugins to restrict access to affected GUIs

🧯 If You Can't Patch

Disable experimental Bundle item feature in server configuration
Monitor server logs for unusual item duplication patterns

🔍 How to Verify

Check if Vulnerable:

Check if InventoryGui version is below 1.6.5 and Bundle feature is enabled.

Check Version:

/plugins or check plugin.yml for InventoryGui version

Verify Fix Applied:

Confirm InventoryGui version is 1.6.5 or higher in plugin list.

📡 Detection & Monitoring

Log Indicators:

Unusual item duplication in logs
Multiple item transactions in short time

Network Indicators:

Unusual inventory packet patterns

SIEM Query:

Search for 'duplicate', 'item', 'bundle' in server logs with high frequency

📊 Metadata

CVE ID: CVE-2025-62784

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-837

EPSS Score: 0.04% exploit probability (12.8th percentile)

Published: October 27, 2025

Last Updated: November 4, 2025

🔗 References

https://github.com/Phoenix616/InventoryGui/commit/690fc91d137c6cc04f6ed3a89449050964dd8cb9 Patch
https://github.com/Phoenix616/InventoryGui/security/advisories/GHSA-7whh-79j3-7c55 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62784, you might also want to check these: