VYPR

PyPI package

invokeai

pkg:pypi/invokeai

Vulnerabilities (5)

  • CVE-2025-6237CriSep 18, 2025
    affected < 6.7.0fixed 6.7.0

    A vulnerability in invokeai version v6.0.0a1 and below allows attackers to perform path traversal and arbitrary file deletion via the GET /api/v1/images/download/{bulk_download_item_name} endpoint. By manipulating the filename arguments, attackers can read and delete any files on

  • CVE-2024-12029CriMar 20, 2025
    affected >= 5.3.1, < 5.4.3rc2fixed 5.4.3rc2

    A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by embedd

  • CVE-2024-11043HigMar 20, 2025
    affected <= 5.0.2

    A Denial of Service (DoS) vulnerability was discovered in the /api/v1/boards/{board_id} endpoint of invoke-ai/invokeai version v5.0.2. This vulnerability occurs when an excessively large payload is sent in the board_name field during a PATCH request. By sending a large payload, t

  • CVE-2024-11042CriMar 20, 2025
    affected < 5.3.0rc1fixed 5.3.0rc1

    In invoke-ai/invokeai version v5.0.2, the web API `POST /api/v1/images/delete` is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH

  • CVE-2024-10821HigMar 20, 2025
    affected <= 5.0.2

    A Denial of Service (DoS) vulnerability in the multipart request boundary processing mechanism of the Invoke-AI server (version v5.0.1) allows unauthenticated attackers to cause excessive resource consumption. The server fails to handle excessive characters appended to the end of