N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-62784

GHSA ID

GHSA-7whh-79j3-7c55

EPSS Score

0.12366%

CWE

CWE-837

Published

10/28/2025

Updated

10/28/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62784

CVE-2025-62784: InventoryGui allows item duplication in GUIs which use GuiStorageElement

Impact

Any plugin using a GUI with the GuiStorageElement and allows taking out items out of that element.

Patches

InventoryGui 1.6.5 (included in latest 1.6.5-SNAPSHOT) by disabling GuiStorageElement when not running on 1.21.9 or later.

Workarounds

Not using the GuiStorageElement.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-62784

CVE-2025-62784:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-62784

GHSA ID

GHSA-7whh-79j3-7c55

EPSS Score

0.12366%

CWE

CWE-837

Published

10/28/2025

Updated

10/28/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
de.themoep:inventorygui	maven	< 1.6.5	1.6.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in a desynchronization issue between the visual inventory presented to the player and the actual backing inventory storage, specifically when using GuiStorageElement. The analysis of the patch commit 690fc91d137c6cc04f6ed3a89449050964dd8cb9 reveals the root cause and the affected functions.

The core of the vulnerability is in the click and drag handling logic. The original code had several weaknesses:

In the GuiStorageElement constructor, the click handler (setAction) did not adequately verify that the item displayed in the GUI (slotItem) matched the item in the backing storage (storageItem) before performing an action. This allowed a player to get the GUI into an inconsistent state that could be exploited.
The InventoryGui.onInventoryDrag method used an insufficient validation function (validateItemPlace), which could be bypassed to create duplicated items.
A central flawed mechanism was the InventoryGui.storeItems method. This method, called on inventory close or page change, would save the (potentially manipulated) state of the visual GUI back to the storage, making the item duplication permanent. The patch completely removes this method.

The fix involves three main changes:

Adding strict consistency checks in the GuiStorageElement click handler to detect and correct any desynchronization between the visual slot and the backing storage before any click action is processed.
Replacing the weak validation in onInventoryDrag with a direct and safer update to the storage.
Removing the storeItems method entirely, thus eliminating the flawed synchronization trigger.

Therefore, the vulnerable functions are the GuiStorageElement constructor where the faulty click handler is defined, the onInventoryDrag event handler, and the now-removed storeItems method which finalized the duplication.

Vulnerable functions

de.themoep.inventorygui.GuiStorageElement.<init>

src/main/java/de/themoep/inventorygui/GuiStorageElement.java

This constructor creates the `GuiStorageElement` and defines its behavior when a player clicks on it. The original implementation of the click handler contained flawed logic that failed to prevent a desynchronization between the displayed inventory and the actual storage. This allowed an attacker to manipulate the GUI to duplicate items. The vulnerable code is the lambda function passed to `setAction` in the constructor.

de.themoep.inventorygui.InventoryGui.onInventoryDrag

src/main/java/de/themoep/inventorygui/InventoryGui.java

This function handles item dragging events within the GUI. The original code used a validation method that was not sufficient to prevent item duplication. An attacker could perform a drag operation that bypasses the intended logic, leading to a duplicated item. The patch replaces the weak validation with a more robust method (`setStorageItem`) that directly and correctly updates the backing storage.

de.themoep.inventorygui.InventoryGui.storeItems

src/main/java/de/themoep/inventorygui/InventoryGui.java

This function was responsible for synchronizing the items in the GUI with the underlying storage. It was called when the inventory was closed or when pages were changed. This synchronization logic was flawed, allowing a player to trigger it after desynchronizing the GUI state from the storage state, thereby confirming the duplication of an item. The function was removed in the patch to eliminate this flawed mechanism.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-62784: InventoryGui allows item duplication in GUIs which use GuiStorageElement

Impact

Patches

Workarounds

CVE-2025-62784:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

Technical Details

CVE-2025-62784: InventoryGui allows item duplication in GUIs which use GuiStorageElement

Impact

Patches

Workarounds

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI