VulnerableCode Package Details - pkg:pypi/invokeai@5.4.3rc1

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:pypi/invokeai@5.4.3rc1

Essentials
History (1)

purl	pkg:pypi/invokeai@5.4.3rc1

Vulnerabilities affecting this package (0)

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-uzyp-pdaw-q7d9	A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by embedding malicious code in model files, which is executed upon loading. This issue is fixed in version 5.4.3.	CVE-2024-12029 PYSEC-2025-9

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:22:52.081373+00:00	Pypa Importer	Fixing	VCID-uzyp-pdaw-q7d9	https://github.com/pypa/advisory-database/blob/main/vulns/invokeai/PYSEC-2025-9.yaml	38.6.0