AI Threat Alert
A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files...
Full analysis pending. Showing NVD description excerpt.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| InvokeAI | pip | >= 5.3.1, < 5.4.3rc2 | 5.4.3rc2 |
Do you use InvokeAI? You're affected.
Severity & Risk
Recommended Action
Patch available
Update InvokeAI to version 5.4.3rc2
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Technical Details
NVD Description
A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by embedding malicious code in model files, which is executed upon loading. This issue is fixed in version 5.4.3rc2.
Weaknesses (CWE)
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References
- github.com/advisories/GHSA-mcrp-whpw-jp68
- github.com/invoke-ai/InvokeAI/commit/ed46acee79460189b38c164321b14bdfbf3073c9
- github.com/invoke-ai/invokeai/commit/756008dc5899081c5aa51e5bd8f24c1b3975a59e
- github.com/pypa/advisory-database/tree/main/vulns/invokeai/PYSEC-2025-9.yaml
- huntr.com/bounties/9b790f94-1b1b-4071-bc27-78445d1a87a3
- nvd.nist.gov/vuln/detail/CVE-2024-12029