CVE-2024-10821 HIGH

CVE-2024-10821: Denial of Service (DoS) in invoke-ai/invokeai

Vendor Invoke-Ai
Product invoke-ai/invokeai
Weakness CWE-835
Published March 20, 2025
Last update October 15, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

A Denial of Service (DoS) vulnerability in the multipart request boundary processing mechanism of the Invoke-AI server (version v5.0.1) allows unauthenticated attackers to cause excessive resource consumption. The server fails to handle excessive characters appended to the end of multipart boundaries, leading to an infinite loop and a complete denial of service for all users. The affected endpoint is `/api/v1/images/upload`.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
October 15, 2025 Record updated