CVE-2024-11042

CRITICAL

invoke-ai/invokeai <5.0.2 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-11042. PoCs published by gothburz.

AI-analyzed exploit summary This PoC sends a crafted POST request to an API endpoint to delete images, demonstrating an unauthorized deletion vulnerability in the target software. The script uses JSON payloads and custom headers to exploit the flaw.

Description

In invoke-ai/invokeai version v5.0.2, the web API `POST /api/v1/images/delete` is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH keys, SQLite databases, and configuration files. This can impact the integrity and availability of applications relying on these files.

Exploits (1)

nomisec WORKING POC
by gothburz · poc
https://github.com/gothburz/CVE-2024-11042

This PoC sends a crafted POST request to an API endpoint to delete images, demonstrating an unauthorized deletion vulnerability in the target software. The script uses JSON payloads and custom headers to exploit the flaw.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Unknown (API endpoint suggests a web application or service)
No auth needed
Prerequisites: Network access to the target API endpoint · Knowledge of image names to delete
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.1
EPSS 0.0093
EPSS Percentile 76.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-73
Status published
Products (2)
invoke-ai/invoke-ai/invokeai unspecified - 5.3.0
pypi/InvokeAI 0 - 5.3.0rc1PyPI
Published Mar 20, 2025
Tracked Since Feb 18, 2026