GHSA-227r-w5j2-6243

Source

https://github.com/advisories/GHSA-227r-w5j2-6243

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-227r-w5j2-6243/GHSA-227r-w5j2-6243.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-227r-w5j2-6243

Aliases

CVE-2024-11042

Published

2025-03-20T12:32:41Z

Modified

2025-03-21T16:43:08.650365Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator

Summary

InvokeAI Arbitrary File Deletion vulnerability

Details

In invoke-ai/invokeai version v5.0.2, the web API POST /api/v1/images/delete is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH keys, SQLite databases, and configuration files. This can impact the integrity and availability of applications relying on these files.

Database specific

{
    "nvd_published_at": "2025-03-20T10:15:23Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-22"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-21T16:32:50Z"
}

References

Affected packages

PyPI / invokeai

Package

Name: invokeai; View open source insights on deps.dev
Purl: pkg:pypi/invokeai

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.3.0rc1

Affected versions

2.*

2.2.4.5

2.2.4.6

2.2.4.7

2.2.5

2.3.0a0

2.3.0a1

2.3.0a2

2.3.0a3

2.3.0rc3

2.3.0rc4

2.3.0rc5

2.3.0rc6

2.3.0rc7

2.3.0

2.3.1rc4

2.3.1

2.3.1.post1

2.3.1.post2

2.3.2

2.3.2.post1

2.3.3rc1

2.3.3

2.3.4a0

2.3.4rc1

2.3.4

2.3.4.post1

2.3.5rc1

2.3.5

2.3.5.post1

2.3.5.post2

3.*

3.0.0

3.0.1rc1

3.0.1rc2

3.0.1

3.0.1.post1

3.0.1.post2

3.0.1.post3

3.0.2a1

3.0.2rc1

3.0.2

3.0.2.post1

3.1.0

3.1.1rc1

3.1.1

3.2.0

3.3.0

3.3.0.post1

3.3.0.post2

3.3.0.post3

3.4.0rc2

3.4.0rc3

3.4.0rc4

3.4.0

3.4.0.post1

3.4.0.post2

3.5.0rc1

3.5.0rc2

3.5.0rc3

3.5.0

3.5.1

3.6.0rc1

3.6.0rc2

3.6.0rc3

3.6.0rc4

3.6.0rc5

3.6.0rc6

3.6.0

3.6.1

3.6.2

3.6.3rc1

3.6.3

3.7.0

4.*

4.0.0rc1

4.0.0rc2

4.0.0rc4

4.0.0rc5

4.0.0rc6

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.1.0

4.2.0a1

4.2.0a2

4.2.0a3

4.2.0a4

4.2.0b1

4.2.0b2

4.2.0

4.2.1

4.2.2

4.2.2.post1

4.2.3

4.2.4

4.2.5

4.2.6a1

4.2.6rc1

4.2.6

4.2.6.post1

4.2.7rc1

4.2.7

4.2.7.post1

4.2.8rc1

4.2.8rc2

4.2.8

4.2.9.dev3

4.2.9.dev4

4.2.9.dev5

4.2.9.dev6

4.2.9.dev7

4.2.9.dev8

4.2.9.dev9

4.2.9.dev10

4.2.9.dev11

4.2.9.dev12

4.2.9.dev20240823

4.2.9.dev20240824

4.2.9rc1

4.2.9rc2

4.2.9

5.*

5.0.0.dev13

5.0.0a1

5.0.0a2

5.0.0a3

5.0.0a4

5.0.0a5

5.0.0a6

5.0.0a7

5.0.0a8

5.0.0rc1

5.0.0rc2

5.0.0

5.0.1

5.0.2

5.1.0rc1

5.1.0rc2

5.1.0rc3

5.1.0rc4

5.1.0rc5

5.1.0

5.1.1

5.2.0rc1

5.2.0rc2

5.2.0