CVE-2025-49000

MEDIUM EPSS 19.9%
Published Jun 3, 20251y ago · Modified Jun 17, 20261w ago
5.7 CVSS 3.1
Medium
Find Similar
Published Jun 3, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

InvenTree is an Open Source Inventory Management System. Prior to version 0.17.13, the skip field in the built-in `label-sheet` plugin lacks an upper bound, so a large value forces the server to allocate an enormous Python list. This lets any authenticated label-printing user trigger a denial-of-service via memory exhaustion. the issue is fixed in versions 0.17.13 and higher. No workaround is available aside from upgrading to the patched version.

CVSS Details

Base Score
5.7
Exploitability
2.1
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
19.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-400 Uncontrolled Resource Consumption Resource Mgmt
CWE-770

Affected Products 1

VendorProductVersionRange
inventree_projectinventree* <0.17.13

References 3

  • github.com https://github.com/inventree/InvenTree/commit/0826a75ef6dde0ad96d680f52a9cf171ba2ce98b
    Patch
  • github.com https://github.com/inventree/InvenTree/releases/tag/0.17.13
    Release Notes
  • github.com https://github.com/inventree/InvenTree/security/advisories/GHSA-m2ch-h84r-p9r6
    Vendor Advisory

Remediation

  • github.com https://github.com/inventree/InvenTree/commit/0826a75ef6dde0ad96d680f52a9cf171ba2ce98b
    Patch