AI Threat Alert

CVE-2023-46315: Infinite Image Browsing: path traversal leaks credentials

HIGH
Published October 22, 2023
CISO Take

Any Stable Diffusion deployment running the Infinite Image Browsing extension with Gradio auth but without a secret key is fully exposed to unauthenticated credential theft via a single HTTP request. Attackers can read /proc/self/environ to harvest API keys, cloud tokens, and database passwords with zero effort. Patch to commit 977815a immediately and rotate all credentials on affected systems.

What is the risk?

High severity with trivial exploitability. Zero authentication, zero user interaction, and network-accessible attack vector combine to make this a priority target for opportunistic attackers. The confidentiality impact is maximal: Stable Diffusion deployments on cloud GPU instances routinely carry rich credential environments including HuggingFace tokens, OpenAI keys, S3 credentials, and database passwords. The misconfiguration-dependent trigger (Gradio auth enabled without secret key) is common in community deployments following default setup guides.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
stable_diffusion_webui_infinite_image_browsing No patch

Do you use stable_diffusion_webui_infinite_image_browsing? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 43% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I None
A None

What should I do?

6 steps

  1. Update sd-webui-infinite-image-browsing to commit 977815a or later immediately.

  2. If patching is blocked, disable the extension in the SD web UI extensions manager.

  3. Rotate all credentials (API keys, tokens, cloud secrets, DB passwords) present in environment variables on any system that ran the vulnerable version.

  4. Never expose SD web UI directly to the internet — enforce VPN or IP allowlist regardless of auth configuration.

  5. Detection: audit web server access logs for requests matching /file?path= pattern, especially those targeting /proc, /etc, or home directory paths.

  6. Consider running SD processes with minimal environment variables and a dedicated low-privilege service account.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Privacy Violation Framework Inference AML.T0025 AML.T0035 AML.T0037 AML.T0049 AML.T0055

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2 - AI system security and resilience
NIST AI RMF
MANAGE-2.2 - Treatments and responses to identified AI risks
OWASP LLM Top 10
LLM06:2025 - Excessive Agency / Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2023-46315?

Any Stable Diffusion deployment running the Infinite Image Browsing extension with Gradio auth but without a secret key is fully exposed to unauthenticated credential theft via a single HTTP request. Attackers can read /proc/self/environ to harvest API keys, cloud tokens, and database passwords with zero effort. Patch to commit 977815a immediately and rotate all credentials on affected systems.

Is CVE-2023-46315 actively exploited?

No confirmed active exploitation of CVE-2023-46315 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-46315?

1. Update sd-webui-infinite-image-browsing to commit 977815a or later immediately. 2. If patching is blocked, disable the extension in the SD web UI extensions manager. 3. Rotate all credentials (API keys, tokens, cloud secrets, DB passwords) present in environment variables on any system that ran the vulnerable version. 4. Never expose SD web UI directly to the internet — enforce VPN or IP allowlist regardless of auth configuration. 5. Detection: audit web server access logs for requests matching /file?path= pattern, especially those targeting /proc, /etc, or home directory paths. 6. Consider running SD processes with minimal environment variables and a dedicated low-privilege service account.

What systems are affected by CVE-2023-46315?

This vulnerability affects the following AI/ML architecture patterns: model serving, ml_ui, training pipelines.

What is the CVSS score for CVE-2023-46315?

CVE-2023-46315 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.57%.

What is the AI security impact?

Affected AI Architectures

model servingml_uitraining pipelines

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

The zanllp sd-webui-infinite-image-browsing (aka Infinite Image Browsing) extension before 977815a for stable-diffusion-webui (aka Stable Diffusion web UI), if Gradio authentication is enabled without secret key configuration, allows remote attackers to read any local file via /file?path= in the URL, as demonstrated by reading /proc/self/environ to discover credentials.

Exploitation Scenario

An adversary scans internet-facing hosts for Stable Diffusion web UI instances and confirms the Infinite Image Browsing extension is active. They issue a single unauthenticated GET request to https://target/file?path=/proc/self/environ. The server responds with all environment variables of the running process, including HuggingFace API tokens, OpenAI keys, AWS credentials, and database connection strings. Using the harvested HuggingFace token, the attacker accesses private model repositories; with AWS credentials they pivot to S3 buckets containing proprietary training datasets. The entire chain requires no AI/ML knowledge — just knowledge of the Linux /proc filesystem.

Weaknesses (CWE)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

  • [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
October 22, 2023
Last Modified
November 21, 2024
First Seen
October 22, 2023

Related Vulnerabilities

CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Data Extraction
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Extraction
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL GHSA-vvpj-8cmc-gx39 10.0

picklescan: security flaw enables exploitation

Same attack type: Auth Bypass
Back to Threat Feed