Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/invokeai@5.3.1

Type pypi

Namespace

Name invokeai

Version 5.3.1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 5.4.3rc1

Latest_non_vulnerable_version 6.7.0

Affected_by_vulnerabilities

url VCID-uzyp-pdaw-q7d9

vulnerability_id VCID-uzyp-pdaw-q7d9

summary A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by embedding malicious code in model files, which is executed upon loading. This issue is fixed in version 5.4.3.

references

reference_url	https://github.com/invoke-ai/invokeai/commit/756008dc5899081c5aa51e5bd8f24c1b3975a59e
reference_id
reference_type
scores
url	https://github.com/invoke-ai/invokeai/commit/756008dc5899081c5aa51e5bd8f24c1b3975a59e

reference_url	https://huntr.com/bounties/9b790f94-1b1b-4071-bc27-78445d1a87a3
reference_id
reference_type
scores
url	https://huntr.com/bounties/9b790f94-1b1b-4071-bc27-78445d1a87a3

fixed_packages

url	pkg:pypi/invokeai@5.4.3rc1
purl	pkg:pypi/invokeai@5.4.3rc1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/invokeai@5.4.3rc1

aliases CVE-2024-12029, PYSEC-2025-9

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uzyp-pdaw-q7d9

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/invokeai@5.3.1

Package Instance