CVE-2024-12029 — CRITICAL (CVSS 9.8) AI Security Vulnerability

Q: Is CVE-2024-12029 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-12029, increasing the risk of exploitation.

Q: How to fix CVE-2024-12029?

1) Upgrade to InvokeAI ≥ 5.4.3rc2 immediately — this is the only complete fix. 2) If patching is blocked, restrict network access to /api/v2/models/install via firewall rules or reverse-proxy ACLs; require IP allowlisting or authentication at the proxy layer. 3) Audit model install logs for unexpected sources (non-HuggingFace/CivitAI origins, unusual IP addresses, recent installs). 4) Scan all previously loaded model files using pickle inspection tooling (picklescan, modelscan) to detect pre-existing compromises. 5) Rotate credentials on any host running affected versions, assuming compromise. 6) Enable endpoint detection on InvokeAI hosts to surface post-exploitation activity (reverse shells, anomalous child processes).

Q: What systems are affected by CVE-2024-12029?

This vulnerability affects the following AI/ML architecture patterns: AI image generation platforms, model serving infrastructure, on-premise AI deployments, shared AI compute environments, ML model distribution pipelines.

Q: What is the CVSS score for CVE-2024-12029?

CVE-2024-12029 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 44.16%.

CISO Take

InvokeAI versions 5.3.1–5.4.2 allow unauthenticated remote code execution by submitting a malicious model file to the install API — no credentials required, no user interaction needed. Patch immediately to 5.4.3rc2+; if unavailable, firewall the /api/v2/models/install endpoint and audit all previously installed model sources. Any internet-exposed InvokeAI instance should be treated as potentially compromised.

Risk Assessment

Extremely high risk. CVSS 9.8 with no authentication barrier, no user interaction, and a network-accessible attack vector means any exposed InvokeAI instance is trivially exploitable. EPSS of 0.49 signals ~49% probability of active exploitation within 30 days — treat as imminently targeted. The torch.load pickle deserialization attack pattern is well-documented and weaponized public tooling exists. Organizations running shared InvokeAI instances or SaaS wrappers built on InvokeAI face the highest blast radius.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
InvokeAI	pip	>= 5.3.1, < 5.4.3rc2	`5.4.3rc2`

Do you use InvokeAI? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

44.2%

chance of exploitation in 30 days

Higher than 98% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

○ EPSS exploit prediction: 44%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

1 step

1) Upgrade to InvokeAI ≥ 5.4.3rc2 immediately — this is the only complete fix. 2) If patching is blocked, restrict network access to /api/v2/models/install via firewall rules or reverse-proxy ACLs; require IP allowlisting or authentication at the proxy layer. 3) Audit model install logs for unexpected sources (non-HuggingFace/CivitAI origins, unusual IP addresses, recent installs). 4) Scan all previously loaded model files using pickle inspection tooling (picklescan, modelscan) to detect pre-existing compromises. 5) Rotate credentials on any host running affected versions, assuming compromise. 6) Enable endpoint detection on InvokeAI hosts to surface post-exploitation activity (reverse shells, anomalous child processes).

Classification

Code Execution Supply Chain Framework Model AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application AML.T0058 - Publish Poisoned Models

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system operation

NIST AI RMF

GOVERN 6.2 - AI supply chain policies and procedures MANAGE 2.2 - Mechanisms for identifying and remediating AI risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-12029?

InvokeAI versions 5.3.1–5.4.2 allow unauthenticated remote code execution by submitting a malicious model file to the install API — no credentials required, no user interaction needed. Patch immediately to 5.4.3rc2+; if unavailable, firewall the /api/v2/models/install endpoint and audit all previously installed model sources. Any internet-exposed InvokeAI instance should be treated as potentially compromised.

Is CVE-2024-12029 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-12029, increasing the risk of exploitation.

How to fix CVE-2024-12029?

1) Upgrade to InvokeAI ≥ 5.4.3rc2 immediately — this is the only complete fix. 2) If patching is blocked, restrict network access to /api/v2/models/install via firewall rules or reverse-proxy ACLs; require IP allowlisting or authentication at the proxy layer. 3) Audit model install logs for unexpected sources (non-HuggingFace/CivitAI origins, unusual IP addresses, recent installs). 4) Scan all previously loaded model files using pickle inspection tooling (picklescan, modelscan) to detect pre-existing compromises. 5) Rotate credentials on any host running affected versions, assuming compromise. 6) Enable endpoint detection on InvokeAI hosts to surface post-exploitation activity (reverse shells, anomalous child processes).

What systems are affected by CVE-2024-12029?

This vulnerability affects the following AI/ML architecture patterns: AI image generation platforms, model serving infrastructure, on-premise AI deployments, shared AI compute environments, ML model distribution pipelines.

What is the CVSS score for CVE-2024-12029?

CVE-2024-12029 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 44.16%.

Technical Details

NVD Description

A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by embedding malicious code in model files, which is executed upon loading. This issue is fixed in version 5.4.3rc2.

Exploitation Scenario

An adversary crafts a malicious PyTorch model file (.ckpt or .pt) embedding a Python pickle payload that spawns a reverse shell or downloads a persistent backdoor. They submit the model URL to the unauthenticated /api/v2/models/install HTTP API. InvokeAI fetches the file and calls torch.load() without weights_only=True or any allowlist validation, triggering pickle deserialization and executing the payload with the privileges of the InvokeAI process. In under 60 seconds the attacker has shell access to the inference host — including any attached GPU, stored API keys, and access to the internal network. For broader campaigns, the adversary publishes the malicious model to CivitAI or HuggingFace to target multiple InvokeAI deployments simultaneously.