Arbitrary File Deletion Vulnerability in InvokeAI by Invoke AI
CVE-2024-11042

9.1CRITICAL

Key Information:

Vendor: Invoke-ai
Status: Invoke-ai/invokeai
Vendor: CVE Published:; 20 March 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-11042?

The InvokeAI product version v5.0.2 is vulnerable to a security flaw within its web API endpoint, specifically the POST /api/v1/images/delete. This vulnerability permits unauthorized users to delete arbitrary files on the server, which could include critical data like SSH keys, SQLite databases, and essential configuration files. Such unauthorized deletion jeopardizes the integrity and availability of applications that depend on these files, posing significant risks to data security and operational continuity.

Affected Version(s)

invoke-ai/invokeai < 5.3.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-11042
Created by gothburz

References

https://huntr.com/bounties/635535a7-c804-4789-ac3a-48d951...

https://github.com/invoke-ai/invokeai/commit/5440c0376748...

CVSS V3.0

Score:

9.1

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Mar 22, 2025
👾
Exploit known to exist
Mar 22, 2025
Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Nov 9, 2024

CVE-2024-11042 Data

JSON

Invoke-ai

Badges

What is CVE-2024-11042?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V3.0

Timeline