EUVD-2025-16786CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
Lifecycle Timeline
4Tags
Description
InvenTree is an Open Source Inventory Management System. Prior to version 0.17.13, the skip field in the built-in `label-sheet` plugin lacks an upper bound, so a large value forces the server to allocate an enormous Python list. This lets any authenticated label-printing user trigger a denial-of-service via memory exhaustion. the issue is fixed in versions 0.17.13 and higher. No workaround is available aside from upgrading to the patched version.
Analysis
InvenTree is an Open Source Inventory Management System. Prior to version 0.17.13, the skip field in the built-in label-sheet plugin lacks an upper bound, so a large value forces the server to allocate an enormous Python list. This lets any authenticated label-printing user trigger a denial-of-service via memory exhaustion. the issue is fixed in versions 0.17.13 and higher. No workaround is available aside from upgrading to the patched version.
Technical Context
A denial of service vulnerability allows an attacker to disrupt the normal functioning of a system, making it unavailable to legitimate users. This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400).
Affected Products
Affected products: Inventree Project Inventree
Remediation
A vendor patch is available — apply it immediately. Implement rate limiting and input validation. Use timeout mechanisms for resource-intensive operations. Deploy DDoS protection where applicable.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today