CVE-2024-12029: InvokeAI RCE — CRITICAL

Q: Is CVE-2024-12029 actively exploited?

A weaponized Metasploit module (exploit/linux/http/invokeai_rce_cve_2024_12029) exists for CVE-2024-12029, meaning the exploit is point-and-click and the risk of opportunistic exploitation is high.

Q: How to fix CVE-2024-12029?

1) Upgrade to InvokeAI ≥ 5.4.3rc2 immediately — this is the only complete fix. 2) If patching is blocked, restrict network access to /api/v2/models/install via firewall rules or reverse-proxy ACLs; require IP allowlisting or authentication at the proxy layer. 3) Audit model install logs for unexpected sources (non-HuggingFace/CivitAI origins, unusual IP addresses, recent installs). 4) Scan all previously loaded model files using pickle inspection tooling (picklescan, modelscan) to detect pre-existing compromises. 5) Rotate credentials on any host running affected versions, assuming compromise. 6) Enable endpoint detection on InvokeAI hosts to surface post-exploitation activity (reverse shells, anomalous child processes).

Q: What systems are affected by CVE-2024-12029?

This vulnerability affects the following AI/ML architecture patterns: AI image generation platforms, model serving infrastructure, on-premise AI deployments, shared AI compute environments, ML model distribution pipelines.

Q: What is the CVSS score for CVE-2024-12029?

CVE-2024-12029 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 5.34%.

CISO Take

InvokeAI versions 5.3.1–5.4.2 allow unauthenticated remote code execution by submitting a malicious model file to the install API — no credentials required, no user interaction needed. Patch immediately to 5.4.3rc2+; if unavailable, firewall the /api/v2/models/install endpoint and audit all previously installed model sources. Any internet-exposed InvokeAI instance should be treated as potentially compromised.

What is the risk?

Extremely high risk. CVSS 9.8 with no authentication barrier, no user interaction, and a network-accessible attack vector means any exposed InvokeAI instance is trivially exploitable. EPSS of 0.49 signals ~49% probability of active exploitation within 30 days — treat as imminently targeted. The torch.load pickle deserialization attack pattern is well-documented and weaponized public tooling exists. Organizations running shared InvokeAI instances or SaaS wrappers built on InvokeAI face the highest blast radius.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
InvokeAI	pip	>= 5.3.1, < 5.4.3rc2	`5.4.3rc2`
27.5K Pushed 6d ago 60% patched ~92d to patch Full package profile →

Do you use InvokeAI? You're affected.

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

5.3%

chance of exploitation in 30 days

Higher than 92% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

✓ Weaponized Metasploit module (exploit/linux/http/invokeai_rce_cve_2024_12029)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

1 step

1) Upgrade to InvokeAI ≥ 5.4.3rc2 immediately — this is the only complete fix. 2) If patching is blocked, restrict network access to /api/v2/models/install via firewall rules or reverse-proxy ACLs; require IP allowlisting or authentication at the proxy layer. 3) Audit model install logs for unexpected sources (non-HuggingFace/CivitAI origins, unusual IP addresses, recent installs). 4) Scan all previously loaded model files using pickle inspection tooling (picklescan, modelscan) to detect pre-existing compromises. 5) Rotate credentials on any host running affected versions, assuming compromise. 6) Enable endpoint detection on InvokeAI hosts to surface post-exploitation activity (reverse shells, anomalous child processes).

How is it classified?

Code Execution Supply Chain Framework Model AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application AML.T0058 - Publish Poisoned Models

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system operation

NIST AI RMF

GOVERN 6.2 - AI supply chain policies and procedures MANAGE 2.2 - Mechanisms for identifying and remediating AI risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-12029?

InvokeAI versions 5.3.1–5.4.2 allow unauthenticated remote code execution by submitting a malicious model file to the install API — no credentials required, no user interaction needed. Patch immediately to 5.4.3rc2+; if unavailable, firewall the /api/v2/models/install endpoint and audit all previously installed model sources. Any internet-exposed InvokeAI instance should be treated as potentially compromised.

Is CVE-2024-12029 actively exploited?

A weaponized Metasploit module (exploit/linux/http/invokeai_rce_cve_2024_12029) exists for CVE-2024-12029, meaning the exploit is point-and-click and the risk of opportunistic exploitation is high.

How to fix CVE-2024-12029?

1) Upgrade to InvokeAI ≥ 5.4.3rc2 immediately — this is the only complete fix. 2) If patching is blocked, restrict network access to /api/v2/models/install via firewall rules or reverse-proxy ACLs; require IP allowlisting or authentication at the proxy layer. 3) Audit model install logs for unexpected sources (non-HuggingFace/CivitAI origins, unusual IP addresses, recent installs). 4) Scan all previously loaded model files using pickle inspection tooling (picklescan, modelscan) to detect pre-existing compromises. 5) Rotate credentials on any host running affected versions, assuming compromise. 6) Enable endpoint detection on InvokeAI hosts to surface post-exploitation activity (reverse shells, anomalous child processes).

What systems are affected by CVE-2024-12029?

This vulnerability affects the following AI/ML architecture patterns: AI image generation platforms, model serving infrastructure, on-premise AI deployments, shared AI compute environments, ML model distribution pipelines.

What is the CVSS score for CVE-2024-12029?

CVE-2024-12029 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 5.34%.

What is the AI security impact?

Affected AI Architectures

AI image generation platformsmodel serving infrastructureon-premise AI deploymentsshared AI compute environmentsML model distribution pipelines

MITRE ATLAS Techniques

AML.T0010.003 Model

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0049 Exploit Public-Facing Application

AML.T0058 Publish Poisoned Models

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: 6.1.2, 8.4

NIST AI RMF: GOVERN 6.2, MANAGE 2.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by embedding malicious code in model files, which is executed upon loading. This issue is fixed in version 5.4.3rc2.

Exploitation Scenario

An adversary crafts a malicious PyTorch model file (.ckpt or .pt) embedding a Python pickle payload that spawns a reverse shell or downloads a persistent backdoor. They submit the model URL to the unauthenticated /api/v2/models/install HTTP API. InvokeAI fetches the file and calls torch.load() without weights_only=True or any allowlist validation, triggering pickle deserialization and executing the payload with the privileges of the InvokeAI process. In under 60 seconds the attacker has shell access to the inference host — including any attached GPU, stored API keys, and access to the internal network. For broader campaigns, the adversary publishes the malicious model to CivitAI or HuggingFace to target multiple InvokeAI deployments simultaneously.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.