InvenTree Arbitrary Code Execution Vulnerability in PART_NAME_FORMAT Template Rendering

A vulnerability allowing arbitrary code execution has been identified in InvenTree versions 1.2.3 prior to 1.2.6. The issue arises because the PART_NAME_FORMAT validator was updated to use a sandboxed Jinja2 environment, but the corresponding renderer in part/helpers.py was not. This oversight allows a staff user with settings access to create a template that passes validation but executes arbitrary code when rendered. The vulnerability takes advantage of a dummy Part instance used during validation, which can alter the behavior of conditional template expressions.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where InvenTree is running.

Remediation

Users can update to InvenTree versions 1.2.7 or 1.3.0, where this vulnerability has been patched. Alternatively, the PART_NAME_FORMAT setting can be overridden at the system level to a default value, preventing it from being edited via the client interface. This requires system administrator access.