Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/invokeai@4.0.0rc6

Type pypi

Namespace

Name invokeai

Version 4.0.0rc6

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 6.7.0

Latest_non_vulnerable_version 6.7.0

Affected_by_vulnerabilities

url VCID-8dah-5986-y3g9

vulnerability_id VCID-8dah-5986-y3g9

summary

InvokeAI has Denial of Service (DoS) vulnerability in `/api/v1/images/upload`
A Denial of Service (DoS) vulnerability in the multipart request boundary processing mechanism of the Invoke-AI server (version v5.0.1) allows unauthenticated attackers to cause excessive resource consumption. The server fails to handle excessive characters appended to the end of multipart boundaries, leading to an infinite loop and a complete denial of service for all users. The affected endpoint is `/api/v1/images/upload`.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-10821

reference_id

reference_type

scores

value	0.00059
scoring_system	epss
scoring_elements	0.18832
published_at	2026-06-07T12:55:00Z

value	0.00059
scoring_system	epss
scoring_elements	0.18771
published_at	2026-06-09T12:55:00Z

value	0.00059
scoring_system	epss
scoring_elements	0.18752
published_at	2026-06-08T12:55:00Z

value	0.00059
scoring_system	epss
scoring_elements	0.18873
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-10821

reference_url

https://github.com/invoke-ai/InvokeAI

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/invoke-ai/InvokeAI

reference_url

https://github.com/invoke-ai/InvokeAI/blob/807f458f13e7693ada2fb929c2d513950611fe9c/invokeai/app/api/routers/images.py#L29

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/invoke-ai/InvokeAI/blob/807f458f13e7693ada2fb929c2d513950611fe9c/invokeai/app/api/routers/images.py#L29

reference_url

https://huntr.com/bounties/0ac24835-c4c0-4f11-938a-d5641dfb80b2

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:54:11Z/

url

https://huntr.com/bounties/0ac24835-c4c0-4f11-938a-d5641dfb80b2

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-10821

reference_id

CVE-2024-10821

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-10821

reference_url

https://github.com/advisories/GHSA-6f6x-f56q-5xgv

reference_id

GHSA-6f6x-f56q-5xgv

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-6f6x-f56q-5xgv

fixed_packages

url pkg:pypi/invokeai@5.1.0rc1

purl pkg:pypi/invokeai@5.1.0rc1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8m2n-enm5-b7dn

vulnerability	VCID-nvuh-7qug-sfa5

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/invokeai@5.1.0rc1

aliases CVE-2024-10821, GHSA-6f6x-f56q-5xgv

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8dah-5986-y3g9

url VCID-8m2n-enm5-b7dn

vulnerability_id VCID-8m2n-enm5-b7dn

summary

InvokeAI Arbitrary File Deletion vulnerability
In invoke-ai/invokeai version v5.0.2, the web API `POST /api/v1/images/delete` is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH keys, SQLite databases, and configuration files. This can impact the integrity and availability of applications relying on these files.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-11042

reference_id

reference_type

scores

value	0.00911
scoring_system	epss
scoring_elements	0.76233
published_at	2026-06-05T12:55:00Z

value	0.00911
scoring_system	epss
scoring_elements	0.76228
published_at	2026-06-07T12:55:00Z

value	0.00911
scoring_system	epss
scoring_elements	0.76235
published_at	2026-06-06T12:55:00Z

value	0.00929
scoring_system	epss
scoring_elements	0.76482
published_at	2026-06-08T12:55:00Z

value	0.00929
scoring_system	epss
scoring_elements	0.76504
published_at	2026-06-09T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-11042

reference_url

https://github.com/invoke-ai/InvokeAI

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/invoke-ai/InvokeAI

reference_url

https://github.com/invoke-ai/invokeai/commit/5440c037674882b2ab7acd59087e9bb04b49657a

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:54:43Z/

url

https://github.com/invoke-ai/invokeai/commit/5440c037674882b2ab7acd59087e9bb04b49657a

reference_url

https://huntr.com/bounties/635535a7-c804-4789-ac3a-48d951263987

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:54:43Z/

url

https://huntr.com/bounties/635535a7-c804-4789-ac3a-48d951263987

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-11042

reference_id

CVE-2024-11042

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-11042

reference_url

https://github.com/advisories/GHSA-227r-w5j2-6243

reference_id

GHSA-227r-w5j2-6243

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-227r-w5j2-6243

fixed_packages

url pkg:pypi/invokeai@5.3.0rc1

purl pkg:pypi/invokeai@5.3.0rc1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-nvuh-7qug-sfa5

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/invokeai@5.3.0rc1

aliases CVE-2024-11042, GHSA-227r-w5j2-6243

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8m2n-enm5-b7dn

url VCID-c3s3-ueq9-aqc4

vulnerability_id VCID-c3s3-ueq9-aqc4

summary

InvokeAI Uncontrolled Resource Consumption vulnerability
A Denial of Service (DoS) vulnerability was discovered in the /api/v1/boards/{board_id} endpoint of invoke-ai/invokeai version v5.0.2. This vulnerability occurs when an excessively large payload is sent in the board_name field during a PATCH request. By sending a large payload, the UI becomes unresponsive, rendering it impossible for users to interact with or manage the affected board. Additionally, the option to delete the board becomes inaccessible, amplifying the severity of the issue.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-11043

reference_id

reference_type

scores

value	0.00203
scoring_system	epss
scoring_elements	0.42305
published_at	2026-06-05T12:55:00Z

value	0.00203
scoring_system	epss
scoring_elements	0.42262
published_at	2026-06-09T12:55:00Z

value	0.00203
scoring_system	epss
scoring_elements	0.42253
published_at	2026-06-08T12:55:00Z

value	0.00203
scoring_system	epss
scoring_elements	0.42289
published_at	2026-06-07T12:55:00Z

value	0.00203
scoring_system	epss
scoring_elements	0.42316
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-11043

reference_url

https://github.com/invoke-ai/InvokeAI

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/invoke-ai/InvokeAI

reference_url

https://github.com/invoke-ai/InvokeAI/blob/b79f2a4e4f183db9016584813748a69d34d62a26/invokeai/app/services/shared/invocation_context.py#L76

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/invoke-ai/InvokeAI/blob/b79f2a4e4f183db9016584813748a69d34d62a26/invokeai/app/services/shared/invocation_context.py#L76

reference_url

https://huntr.com/bounties/9270900a-b8b7-402f-aee5-432d891e5648

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T13:32:44Z/

url

https://huntr.com/bounties/9270900a-b8b7-402f-aee5-432d891e5648

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-11043

reference_id

CVE-2024-11043

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-11043

reference_url

https://github.com/advisories/GHSA-ffh5-w482-c7m5

reference_id

GHSA-ffh5-w482-c7m5

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-ffh5-w482-c7m5

fixed_packages

url pkg:pypi/invokeai@5.1.0rc1

purl pkg:pypi/invokeai@5.1.0rc1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8m2n-enm5-b7dn

vulnerability	VCID-nvuh-7qug-sfa5

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/invokeai@5.1.0rc1

aliases CVE-2024-11043, GHSA-ffh5-w482-c7m5

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c3s3-ueq9-aqc4

url VCID-nvuh-7qug-sfa5

vulnerability_id VCID-nvuh-7qug-sfa5

summary

InvokeAI has External Control of File Name or Path
### Path Traversal Vulnerability in InvokeAI

A path traversal vulnerability in **InvokeAI** (versions < 6.7.0) allows an unauthenticated remote attacker to read files outside the intended media directory via the **bulk downloads** API.

The endpoint accepts a user-controlled file/item name and concatenates it into a filesystem path without proper canonicalization or allow-listing. By supplying sequences such as `../` (or absolute paths), an attacker can cause the server to traverse directories and return arbitrary files.

In certain storage or back-end configurations, abusing attacker-controlled paths can also lead to unintended overwriting or deletion of files referenced by the crafted path.

The issue is fixed in **6.7.0**, which normalizes and validates input paths and rejects traversal attempts.

**Affected versions:** `< 6.7.0`
**Patched version:** `6.7.0`

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-6237

reference_id

reference_type

scores

value	0.00112
scoring_system	epss
scoring_elements	0.2946
published_at	2026-06-05T12:55:00Z

value	0.00112
scoring_system	epss
scoring_elements	0.2937
published_at	2026-06-09T12:55:00Z

value	0.00112
scoring_system	epss
scoring_elements	0.29357
published_at	2026-06-08T12:55:00Z

value	0.00112
scoring_system	epss
scoring_elements	0.29391
published_at	2026-06-07T12:55:00Z

value	0.00112
scoring_system	epss
scoring_elements	0.29425
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-6237

reference_url

https://github.com/invoke-ai/InvokeAI

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/invoke-ai/InvokeAI

reference_url

https://github.com/invoke-ai/InvokeAI/blob/v6.0.0a1/invokeai/app/api/routers/images.py#L493-L524

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/invoke-ai/InvokeAI/blob/v6.0.0a1/invokeai/app/api/routers/images.py#L493-L524

reference_url

https://github.com/invoke-ai/InvokeAI/pull/8548/commits/eff565ae6ace1c8458f187245690bff0513f1b9e

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/invoke-ai/InvokeAI/pull/8548/commits/eff565ae6ace1c8458f187245690bff0513f1b9e

reference_url

https://github.com/invoke-ai/InvokeAI/releases/tag/v6.7.0

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/invoke-ai/InvokeAI/releases/tag/v6.7.0

reference_url

https://huntr.com/bounties/54ac9589-7c88-4fd4-8512-8b2f19fbaedf

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-09-18T13:31:15Z/

url

https://huntr.com/bounties/54ac9589-7c88-4fd4-8512-8b2f19fbaedf

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-6237

reference_id

CVE-2025-6237

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-6237

reference_url

https://github.com/advisories/GHSA-vv9c-xxg7-wmv7

reference_id

GHSA-vv9c-xxg7-wmv7

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-vv9c-xxg7-wmv7

fixed_packages

url	pkg:pypi/invokeai@6.7.0
purl	pkg:pypi/invokeai@6.7.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/invokeai@6.7.0

aliases CVE-2025-6237, GHSA-vv9c-xxg7-wmv7

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nvuh-7qug-sfa5

Fixing_vulnerabilities

Risk_score 4.5

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/invokeai@4.0.0rc6

Package Instance