Vulnerability Description
A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by embedding malicious code in model files, which is executed upon loading. This issue is fixed in version 5.4.3.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://github.com/invoke-ai/invokeai/commit/756008dc5899081c5aa51e5bd8f24c1b397
- https://huntr.com/bounties/9b790f94-1b1b-4071-bc27-78445d1a87a3
- https://huntr.com/bounties/9b790f94-1b1b-4071-bc27-78445d1a87a3
FAQ
What is CVE-2024-12029?
CVE-2024-12029 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files ...
How severe is CVE-2024-12029?
CVE-2024-12029 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-12029?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.