CVE-2024-11042 – invokeai

Package

Manager: pip
Name: invokeai
Vulnerable Version: >=0 <5.3.0rc1

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01284 pctl0.78843

Details

InvokeAI Arbitrary File Deletion vulnerability In invoke-ai/invokeai version v5.0.2, the web API `POST /api/v1/images/delete` is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH keys, SQLite databases, and configuration files. This can impact the integrity and availability of applications relying on these files.

Metadata

Created: 2025-03-20T12:32:41Z
Modified: 2025-03-21T16:32:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-227r-w5j2-6243/GHSA-227r-w5j2-6243.json
CWE IDs: ["CWE-20", "CWE-22"]
Alternative ID: GHSA-227r-w5j2-6243
Finding: F184
Auto approve: 1