CVE-2024-12029
CRITICALPypi Invokeai < 5.4.3rc2 - Insecure Deserialization
Title source: ruleDescription
A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by embedding malicious code in model files, which is executed upon loading. This issue is fixed in version 5.4.3.
Exploits (1)
metasploit
WORKING POC
EXCELLENT
by jackfromeast, Takahiro Yokoyama · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/invokeai_rce_cve_2024_12029.rb
Scores
CVSS v3
9.8
EPSS
0.4913
EPSS Percentile
97.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Classification
CWE
CWE-502
Status
draft
Affected Products (1)
pypi/InvokeAI
< 5.4.3rc2PyPI
Timeline
Published
Mar 20, 2025
Tracked Since
Feb 18, 2026