InvenTree Server-Side Template Injection Vulnerability Allowing Information Exfiltration and Code Execution

A server-side template injection vulnerability has been identified in InvenTree versions prior to 1.2.3. This vulnerability allows users with staff permissions to manipulate Jinja2 templates used for generating custom batch codes. Maliciously modified templates can exfiltrate sensitive information or execute code on the server. Once a template is compromised, other users can trigger the execution with their own user context. The vulnerability has been patched in version 1.2.3 and in versions 1.3.0 and later. For versions prior to 1.2.3, it is recommended to override certain global settings at the system level to prevent unauthorized edits.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information and arbitrary code execution on the server.

Remediation

Users of InvenTree prior to version 1.2.3 should override the 'STOCK_BATCH_CODE_TEMPLATE' and 'PART_NAME_FORMAT' global settings at the system level to prevent editing. This requires system administrator access and cannot be changed from the client side once the server is running.