VYPR

Invokeai

by Invoke AI

pypi: invokeai

Source repositories

CVEs (5)

  • CVE-2024-12029CriMar 20, 2025
    risk 0.60cvss 9.8epss 0.05

    A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by…

  • CVE-2025-6237CriSep 18, 2025
    risk 0.57cvss 9.8epss 0.00

    A vulnerability in invokeai version v6.0.0a1 and below allows attackers to perform path traversal and arbitrary file deletion via the GET /api/v1/images/download/{bulk_download_item_name} endpoint. By manipulating the filename arguments, attackers can read and delete any files…

  • CVE-2024-11042CriMar 20, 2025
    risk 0.52cvss 9.1epss 0.01

    In invoke-ai/invokeai version v5.0.2, the web API `POST /api/v1/images/delete` is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH…

  • CVE-2024-11043HigMar 20, 2025
    risk 0.49cvss 7.5epss 0.01

    A Denial of Service (DoS) vulnerability was discovered in the /api/v1/boards/{board_id} endpoint of invoke-ai/invokeai version v5.0.2. This vulnerability occurs when an excessively large payload is sent in the board_name field during a PATCH request. By sending a large payload,…

  • CVE-2024-10821HigMar 20, 2025
    risk 0.49cvss 7.5epss 0.01

    A Denial of Service (DoS) vulnerability in the multipart request boundary processing mechanism of the Invoke-AI server (version v5.0.1) allows unauthenticated attackers to cause excessive resource consumption. The server fails to handle excessive characters appended to the end…