CVE-2025-62782: 
Java vulnerability analysis and mitigation

InventoryGui, a library for creating chest GUIs for Bukkit/Spigot plugins, contains a vulnerability (CVE-2025-62782) in versions 1.6.3-SNAPSHOT and earlier where GUIs using GuiStorageElement can allow item duplication when the experimental Bundle item feature is enabled on the server. The vulnerability was discovered on October 21, 2024, and has been resolved in version 1.6.4-SNAPSHOT (GitHub Advisory).

The vulnerability occurs when using a GUIStorageElement component with Bundle items. When right-clicking with a bundle, the item is placed in the GUI while remaining on the cursor with one less item inside, instead of being properly removed from the bundle as in a normal inventory. The vulnerability has been assigned a CVSS v4.0 base score of 5.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:L/SC:N/SI:L/SA:L (GitHub Advisory).

Any plugin using the GuiStorageElement is impacted when used on a server which allows the experimental Bundle items. The vulnerability allows players to duplicate items through the improper handling of Bundle interactions with the GUI system (GitHub Advisory).

The vulnerability has been patched in version 1.6.4-SNAPSHOT. For users unable to update immediately, two workarounds are available: either disable the experimental Bundle items feature or avoid using the GuiStorageElement in GUIs (GitHub Advisory).