CVE-2024-10821 – invokeai

Package

Manager: pip
Name: invokeai
Vulnerable Version: >=0 <=5.0.2

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00091 pctl0.2673

Details

InvokeAI has Denial of Service (DoS) vulnerability in `/api/v1/images/upload` A Denial of Service (DoS) vulnerability in the multipart request boundary processing mechanism of the Invoke-AI server (version v5.0.1) allows unauthenticated attackers to cause excessive resource consumption. The server fails to handle excessive characters appended to the end of multipart boundaries, leading to an infinite loop and a complete denial of service for all users. The affected endpoint is `/api/v1/images/upload`.

Metadata

Created: 2025-03-20T12:32:40Z
Modified: 2025-03-21T16:29:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-6f6x-f56q-5xgv/GHSA-6f6x-f56q-5xgv.json
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-6f6x-f56q-5xgv
Finding: F002
Auto approve: 1