CVE-2024-12029 CRITICAL

CVE-2024-12029: Remote Code Execution via Model Deserialization in invoke-ai/invokeai

Vendor Invoke-Ai
Product invoke-ai/invokeai
Weakness CWE-502 · Unsafe deserialization
Published March 20, 2025
Last update March 20, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by embedding malicious code in model files, which is executed upon loading. This issue is fixed in version 5.4.3.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
March 20, 2025 Record updated