CVE-2025-62784: 
Java vulnerability analysis and mitigation

CVE-2025-62784 affects InventoryGui, a library for creating chest GUIs for Bukkit/Spigot plugins. The vulnerability was discovered and disclosed on October 26, 2025, affecting versions before 1.6.5. The vulnerability exists in the GuiStorageElement component when the experimental Bundle item feature is enabled on the server, potentially allowing item duplication (NVD, GitHub Advisory).

The vulnerability is classified with a CVSS v4.0 Base Score of 5.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N. The issue specifically occurs in plugins using a GUI with the GuiStorageElement that allows taking out items from that element when the experimental Bundle item feature is enabled (GitHub Advisory).

The vulnerability allows for item duplication in affected systems, potentially disrupting game economy and balance in Minecraft servers using the affected plugin. The CVSS metrics indicate low integrity impact on both the vulnerable and subsequent systems, with no impact on confidentiality or availability (GitHub Advisory).

The vulnerability has been patched in InventoryGui version 1.6.5, which disables GuiStorageElement when not running on 1.21.9 or later. For systems unable to update immediately, the recommended workaround is to avoid using the GuiStorageElement component (GitHub Advisory).