CVE-2024-11042
published 2025-03-20CVE-2024-11042: In invoke-ai/invokeai version v5.0.2, the web API `POST /api/v1/images/delete` is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized…
PriorityP358critical9.1CVSS 3.0
AVNACLPRNUINSUCNIHAH
EPSS
1.35%
68.0th percentile
In invoke-ai/invokeai version v5.0.2, the web API `POST /api/v1/images/delete` is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH keys, SQLite databases, and configuration files. This can impact the integrity and availability of applications relying on these files.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| invoke-ai | invoke-ai_invokeai | >= 0 < 5.3.0rc1 | 5.3.0rc1 |
| invoke-ai | invoke-ai_invokeai | >= unspecified < 5.3.0 | 5.3.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
InvokeAI Arbitrary File Deletion vulnerability
osv·2025-03-20
CVE-2024-11042 [CRITICAL] InvokeAI Arbitrary File Deletion vulnerability
InvokeAI Arbitrary File Deletion vulnerability
In invoke-ai/invokeai version v5.0.2, the web API `POST /api/v1/images/delete` is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH keys, SQLite databases, and configuration files. This can impact the integrity and availability of applications relying on these files.
GHSA
InvokeAI Arbitrary File Deletion vulnerability
ghsa·2025-03-20
CVE-2024-11042 [CRITICAL] CWE-20 InvokeAI Arbitrary File Deletion vulnerability
InvokeAI Arbitrary File Deletion vulnerability
In invoke-ai/invokeai version v5.0.2, the web API `POST /api/v1/images/delete` is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH keys, SQLite databases, and configuration files. This can impact the integrity and availability of applications relying on these files.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-20
Published