CVE-2025-49000
published 2025-06-03CVE-2025-49000: InvenTree is an Open Source Inventory Management System. Prior to version 0.17.13, the skip field in the built-in `label-sheet` plugin lacks an upper bound, so…
PriorityP427medium5.7CVSS 3.1
AVNACLPRLUIRSUCNINAH
EPSS
0.28%
19.8th percentile
InvenTree is an Open Source Inventory Management System. Prior to version 0.17.13, the skip field in the built-in `label-sheet` plugin lacks an upper bound, so a large value forces the server to allocate an enormous Python list. This lets any authenticated label-printing user trigger a denial-of-service via memory exhaustion. the issue is fixed in versions 0.17.13 and higher. No workaround is available aside from upgrading to the patched version.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| inventree | inventree | < 0.17.13 | 0.17.13 |
| inventree_project | inventree | < 0.17.13 | 0.17.13 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-06-03
Published