invokeai 4.2.9.dev20240823 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the invokeai package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Directory Traversal InvokeAI is an An implementation of Stable Diffusion which provides various new features and options to aid the image generation process Affected versions of this package are vulnerable to Directory Traversal via the `_is_valid_path` method. An attacker can download arbitrary files via the `/images/download/get_bulk_download_item` endpoint by sending requests containing relative paths (e.g., `../`) Note: This vulnerability is only applicable to Windows systems. How to fix Directory Traversal? Upgrade `InvokeAI` to version 6.7.0rc1 or higher.	[,6.7.0rc1)
C External Control of File Name or Path InvokeAI is an An implementation of Stable Diffusion which provides various new features and options to aid the image generation process Affected versions of this package are vulnerable to External Control of File Name or Path via the `GET /api/v1/images/download/{bulk_download_item_name}` endpoint. An attacker can read and delete arbitrary files on the server, including sensitive files such as SSH keys, databases, and configuration files, by manipulating the filename arguments. How to fix External Control of File Name or Path? Upgrade `InvokeAI` to version 6.7.0 or higher.	[,6.7.0)
H Denial of Service (DoS) InvokeAI is an An implementation of Stable Diffusion which provides various new features and options to aid the image generation process Affected versions of this package are vulnerable to Denial of Service (DoS) through the `board_name` field during a PATCH request to the /api/v1/boards/{board_id} endpoint. An attacker can cause the UI to become unresponsive, preventing users from interacting with or managing the affected board by sending an excessively large payload. How to fix Denial of Service (DoS)? Upgrade `InvokeAI` to version 5.10.0.dev1 or higher.	[,5.10.0.dev1)
H Denial of Service (DoS) InvokeAI is an An implementation of Stable Diffusion which provides various new features and options to aid the image generation process Affected versions of this package are vulnerable to Denial of Service (DoS) through the multipart request boundary processing mechanism. An attacker can cause excessive resource consumption and trigger an infinite loop, leading to a complete denial of service for all users by appending excessive characters to the end of multipart boundaries. How to fix Denial of Service (DoS)? Upgrade `InvokeAI` to version 5.13.0rc2 or higher.	[,5.13.0rc2)
H Directory Traversal InvokeAI is an An implementation of Stable Diffusion which provides various new features and options to aid the image generation process Affected versions of this package are vulnerable to Directory Traversal through the web API `POST /api/v1/images/delete`. An attacker can delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH keys, SQLite databases, and configuration files, by sending a crafted request to the endpoint. How to fix Directory Traversal? Upgrade `InvokeAI` to version 5.3.0rc1 or higher.	[,5.3.0rc1)

Vulnerability

Vulnerable Version

Directory Traversal

InvokeAI is an An implementation of Stable Diffusion which provides various new features and options to aid the image generation process

Affected versions of this package are vulnerable to Directory Traversal via the _is_valid_path method. An attacker can download arbitrary files via the /images/download/get_bulk_download_item endpoint by sending requests containing relative paths (e.g., ../)

Note: This vulnerability is only applicable to Windows systems.

How to fix Directory Traversal?

Upgrade InvokeAI to version 6.7.0rc1 or higher.

[,6.7.0rc1)

External Control of File Name or Path

InvokeAI is an An implementation of Stable Diffusion which provides various new features and options to aid the image generation process

Affected versions of this package are vulnerable to External Control of File Name or Path via the GET /api/v1/images/download/{bulk_download_item_name} endpoint. An attacker can read and delete arbitrary files on the server, including sensitive files such as SSH keys, databases, and configuration files, by manipulating the filename arguments.

How to fix External Control of File Name or Path?

Upgrade InvokeAI to version 6.7.0 or higher.

[,6.7.0)

Denial of Service (DoS)

InvokeAI is an An implementation of Stable Diffusion which provides various new features and options to aid the image generation process

Affected versions of this package are vulnerable to Denial of Service (DoS) through the board_name field during a PATCH request to the /api/v1/boards/{board_id} endpoint. An attacker can cause the UI to become unresponsive, preventing users from interacting with or managing the affected board by sending an excessively large payload.

How to fix Denial of Service (DoS)?

Upgrade InvokeAI to version 5.10.0.dev1 or higher.

[,5.10.0.dev1)

Denial of Service (DoS)

InvokeAI is an An implementation of Stable Diffusion which provides various new features and options to aid the image generation process

Affected versions of this package are vulnerable to Denial of Service (DoS) through the multipart request boundary processing mechanism. An attacker can cause excessive resource consumption and trigger an infinite loop, leading to a complete denial of service for all users by appending excessive characters to the end of multipart boundaries.

How to fix Denial of Service (DoS)?

Upgrade InvokeAI to version 5.13.0rc2 or higher.

[,5.13.0rc2)

Directory Traversal

InvokeAI is an An implementation of Stable Diffusion which provides various new features and options to aid the image generation process

Affected versions of this package are vulnerable to Directory Traversal through the web API POST /api/v1/images/delete. An attacker can delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH keys, SQLite databases, and configuration files, by sending a crafted request to the endpoint.

How to fix Directory Traversal?

Upgrade InvokeAI to version 5.3.0rc1 or higher.

[,5.3.0rc1)

invokeai@4.2.9.dev20240823 vulnerabilities

An implementation of Stable Diffusion which provides various new features and options to aid the image generation process

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically