Home > Vulnerability Database > CVE-2025-49000

Mend.io Vulnerability Database

CVE-2025-49000

Good to know:

Date: June 3, 2025

InvenTree is an Open Source Inventory Management System. Prior to version 0.17.13, the skip field in the built-in "label-sheet" plugin lacks an upper bound, so a large value forces the server to allocate an enormous Python list. This lets any authenticated label-printing user trigger a denial-of-service via memory exhaustion. the issue is fixed in versions 0.17.13 and higher. No workaround is available aside from upgrading to the patched version.

Severity Score

3.5

Related Resources (5)

Url: https://github.com/inventree/InvenTree/commit/0826a75ef6dde0ad96d680f52a9cf171ba2ce98b

Url: https://github.com/inventree/InvenTree/security/advisories/GHSA-m2ch-h84r-p9r6

Url: https://github.com/inventree/InvenTree/releases/tag/0.17.13

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-49000

Url: https://www.mend.io/vulnerability-database/CVE-2025-49000

Severity Score

3.5

Weakness Type (CWE)

Uncontrolled Resource Consumption

CWE-400

Allocation of Resources Without Limits or Throttling

CWE-770

Top Fix

Upgrade Version

Upgrade to version https://github.com/inventree/InvenTree.git - 0.17.13

Learn More

CVSS v3.1

Base Score:	3.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-49000

Good to know:

Date: June 3, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?