cbcvebase.
CVE-2025-49000
published 2025-06-03

CVE-2025-49000: InvenTree is an Open Source Inventory Management System. Prior to version 0.17.13, the skip field in the built-in `label-sheet` plugin lacks an upper bound, so…

PriorityP427medium5.7CVSS 3.1
AVNACLPRLUIRSUCNINAH
EPSS
0.28%
19.8th percentile
InvenTree is an Open Source Inventory Management System. Prior to version 0.17.13, the skip field in the built-in `label-sheet` plugin lacks an upper bound, so a large value forces the server to allocate an enormous Python list. This lets any authenticated label-printing user trigger a denial-of-service via memory exhaustion. the issue is fixed in versions 0.17.13 and higher. No workaround is available aside from upgrading to the patched version.

Affected

2 ranges
VendorProductVersion rangeFixed in
inventreeinventree< 0.17.130.17.13
inventree_projectinventree< 0.17.130.17.13
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.