{"url":"http://public2.vulnerablecode.io/api/packages/809354?format=json","purl":"pkg:pypi/invokeai@4.2.0a4","type":"pypi","namespace":"","name":"invokeai","version":"4.2.0a4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.7.0","latest_non_vulnerable_version":"6.7.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56904?format=json","vulnerability_id":"VCID-8dah-5986-y3g9","summary":"InvokeAI has Denial of Service (DoS) vulnerability in `/api/v1/images/upload`\nA Denial of Service (DoS) vulnerability in the multipart request boundary processing mechanism of the Invoke-AI server (version v5.0.1) allows unauthenticated attackers to cause excessive resource consumption. The server fails to handle excessive characters appended to the end of multipart boundaries, leading to an infinite loop and a complete denial of service for all users. The affected endpoint is `/api/v1/images/upload`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-10821","reference_id":"","reference_type":"","scores":[{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18873","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18752","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18832","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-10821"},{"reference_url":"https://github.com/invoke-ai/InvokeAI","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/invoke-ai/InvokeAI"},{"reference_url":"https://github.com/invoke-ai/InvokeAI/blob/807f458f13e7693ada2fb929c2d513950611fe9c/invokeai/app/api/routers/images.py#L29","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/invoke-ai/InvokeAI/blob/807f458f13e7693ada2fb929c2d513950611fe9c/invokeai/app/api/routers/images.py#L29"},{"reference_url":"https://huntr.com/bounties/0ac24835-c4c0-4f11-938a-d5641dfb80b2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:54:11Z/"}],"url":"https://huntr.com/bounties/0ac24835-c4c0-4f11-938a-d5641dfb80b2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-10821","reference_id":"CVE-2024-10821","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-10821"},{"reference_url":"https://github.com/advisories/GHSA-6f6x-f56q-5xgv","reference_id":"GHSA-6f6x-f56q-5xgv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6f6x-f56q-5xgv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/809402?format=json","purl":"pkg:pypi/invokeai@5.1.0rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8m2n-enm5-b7dn"},{"vulnerability":"VCID-nvuh-7qug-sfa5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/invokeai@5.1.0rc1"}],"aliases":["CVE-2024-10821","GHSA-6f6x-f56q-5xgv"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8dah-5986-y3g9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56944?format=json","vulnerability_id":"VCID-8m2n-enm5-b7dn","summary":"InvokeAI Arbitrary File Deletion vulnerability\nIn invoke-ai/invokeai version v5.0.2, the web API `POST /api/v1/images/delete` is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH keys, SQLite databases, and configuration files. This can impact the integrity and availability of applications relying on these files.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-11042","reference_id":"","reference_type":"","scores":[{"value":"0.00911","scoring_system":"epss","scoring_elements":"0.76233","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00911","scoring_system":"epss","scoring_elements":"0.76228","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00911","scoring_system":"epss","scoring_elements":"0.76235","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00929","scoring_system":"epss","scoring_elements":"0.76482","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-11042"},{"reference_url":"https://github.com/invoke-ai/InvokeAI","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/invoke-ai/InvokeAI"},{"reference_url":"https://github.com/invoke-ai/invokeai/commit/5440c037674882b2ab7acd59087e9bb04b49657a","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:54:43Z/"}],"url":"https://github.com/invoke-ai/invokeai/commit/5440c037674882b2ab7acd59087e9bb04b49657a"},{"reference_url":"https://huntr.com/bounties/635535a7-c804-4789-ac3a-48d951263987","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:54:43Z/"}],"url":"https://huntr.com/bounties/635535a7-c804-4789-ac3a-48d951263987"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-11042","reference_id":"CVE-2024-11042","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-11042"},{"reference_url":"https://github.com/advisories/GHSA-227r-w5j2-6243","reference_id":"GHSA-227r-w5j2-6243","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-227r-w5j2-6243"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84541?format=json","purl":"pkg:pypi/invokeai@5.3.0rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-nvuh-7qug-sfa5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/invokeai@5.3.0rc1"}],"aliases":["CVE-2024-11042","GHSA-227r-w5j2-6243"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8m2n-enm5-b7dn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56892?format=json","vulnerability_id":"VCID-c3s3-ueq9-aqc4","summary":"InvokeAI Uncontrolled Resource Consumption vulnerability\nA Denial of Service (DoS) vulnerability was discovered in the /api/v1/boards/{board_id} endpoint of invoke-ai/invokeai version v5.0.2. This vulnerability occurs when an excessively large payload is sent in the board_name field during a PATCH request. By sending a large payload, the UI becomes unresponsive, rendering it impossible for users to interact with or manage the affected board. Additionally, the option to delete the board becomes inaccessible, amplifying the severity of the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-11043","reference_id":"","reference_type":"","scores":[{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42305","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42253","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42289","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42316","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-11043"},{"reference_url":"https://github.com/invoke-ai/InvokeAI","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/invoke-ai/InvokeAI"},{"reference_url":"https://github.com/invoke-ai/InvokeAI/blob/b79f2a4e4f183db9016584813748a69d34d62a26/invokeai/app/services/shared/invocation_context.py#L76","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/invoke-ai/InvokeAI/blob/b79f2a4e4f183db9016584813748a69d34d62a26/invokeai/app/services/shared/invocation_context.py#L76"},{"reference_url":"https://huntr.com/bounties/9270900a-b8b7-402f-aee5-432d891e5648","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T13:32:44Z/"}],"url":"https://huntr.com/bounties/9270900a-b8b7-402f-aee5-432d891e5648"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-11043","reference_id":"CVE-2024-11043","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-11043"},{"reference_url":"https://github.com/advisories/GHSA-ffh5-w482-c7m5","reference_id":"GHSA-ffh5-w482-c7m5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ffh5-w482-c7m5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/809402?format=json","purl":"pkg:pypi/invokeai@5.1.0rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8m2n-enm5-b7dn"},{"vulnerability":"VCID-nvuh-7qug-sfa5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/invokeai@5.1.0rc1"}],"aliases":["CVE-2024-11043","GHSA-ffh5-w482-c7m5"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c3s3-ueq9-aqc4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47811?format=json","vulnerability_id":"VCID-nvuh-7qug-sfa5","summary":"InvokeAI has External Control of File Name or Path\n### Path Traversal Vulnerability in InvokeAI\n\nA path traversal vulnerability in **InvokeAI** (versions < 6.7.0) allows an unauthenticated remote attacker to read files outside the intended media directory via the **bulk downloads** API.\n\nThe endpoint accepts a user-controlled file/item name and concatenates it into a filesystem path without proper canonicalization or allow-listing. By supplying sequences such as `../` (or absolute paths), an attacker can cause the server to traverse directories and return arbitrary files.\n\nIn certain storage or back-end configurations, abusing attacker-controlled paths can also lead to unintended overwriting or deletion of files referenced by the crafted path.\n\nThe issue is fixed in **6.7.0**, which normalizes and validates input paths and rejects traversal attempts.\n\n**Affected versions:** `< 6.7.0`\n**Patched version:** `6.7.0`","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-6237","reference_id":"","reference_type":"","scores":[{"value":"0.00112","scoring_system":"epss","scoring_elements":"0.2946","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00112","scoring_system":"epss","scoring_elements":"0.29357","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00112","scoring_system":"epss","scoring_elements":"0.29391","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00112","scoring_system":"epss","scoring_elements":"0.29425","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-6237"},{"reference_url":"https://github.com/invoke-ai/InvokeAI","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/invoke-ai/InvokeAI"},{"reference_url":"https://github.com/invoke-ai/InvokeAI/blob/v6.0.0a1/invokeai/app/api/routers/images.py#L493-L524","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/invoke-ai/InvokeAI/blob/v6.0.0a1/invokeai/app/api/routers/images.py#L493-L524"},{"reference_url":"https://github.com/invoke-ai/InvokeAI/pull/8548/commits/eff565ae6ace1c8458f187245690bff0513f1b9e","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/invoke-ai/InvokeAI/pull/8548/commits/eff565ae6ace1c8458f187245690bff0513f1b9e"},{"reference_url":"https://github.com/invoke-ai/InvokeAI/releases/tag/v6.7.0","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/invoke-ai/InvokeAI/releases/tag/v6.7.0"},{"reference_url":"https://huntr.com/bounties/54ac9589-7c88-4fd4-8512-8b2f19fbaedf","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-09-18T13:31:15Z/"}],"url":"https://huntr.com/bounties/54ac9589-7c88-4fd4-8512-8b2f19fbaedf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6237","reference_id":"CVE-2025-6237","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6237"},{"reference_url":"https://github.com/advisories/GHSA-vv9c-xxg7-wmv7","reference_id":"GHSA-vv9c-xxg7-wmv7","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vv9c-xxg7-wmv7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/70564?format=json","purl":"pkg:pypi/invokeai@6.7.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/invokeai@6.7.0"}],"aliases":["CVE-2025-6237","GHSA-vv9c-xxg7-wmv7"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nvuh-7qug-sfa5"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/invokeai@4.2.0a4"}