CVE-2024-11042 Overview
A critical arbitrary file deletion vulnerability exists in invoke-ai/invokeai version v5.0.2 through its web API endpoint POST /api/v1/images/delete. This directory traversal vulnerability allows unauthorized attackers to delete arbitrary files on the server by manipulating image name parameters to escape the intended output directory. The vulnerability can be exploited to remove critical system files including SSH keys, SQLite databases, and configuration files, severely impacting the integrity and availability of applications dependent on these resources.
Critical Impact
Unauthenticated attackers can delete arbitrary files on InvokeAI servers, potentially destroying SSH keys, databases, and configuration files, leading to complete system compromise or denial of service.
Affected Products
- InvokeAI v5.0.2
- InvokeAI versions prior to the security patch at commit 5440c037674882b2ab7acd59087e9bb04b49657a
Discovery Timeline
- 2025-03-20 - CVE CVE-2024-11042 published to NVD
- 2025-10-15 - Last updated in NVD database
Technical Details for CVE-2024-11042
Vulnerability Analysis
This vulnerability stems from CWE-73 (External Control of File Name or Path), which occurs when an application uses user-controlled input to construct file paths without proper validation. In InvokeAI's implementation, the get_path function within image_files_disk.py directly concatenated user-supplied image names with the output folder path, allowing attackers to inject path traversal sequences (e.g., ../) to target files outside the intended directory.
The attack requires no authentication and can be executed over the network, making it particularly dangerous for publicly accessible InvokeAI installations. Successful exploitation enables attackers to delete any file the InvokeAI process has write permissions for, potentially leading to application crashes, data loss, or complete system compromise.
Root Cause
The root cause is insufficient input validation in the get_path method of the ImageFilesService class. The original implementation directly joined the user-supplied image_name parameter with the __output_folder path without sanitizing path traversal characters or verifying the resulting path remained within the intended directory boundary.
Attack Vector
An attacker can exploit this vulnerability by sending a malicious POST request to /api/v1/images/delete with a crafted image_name parameter containing directory traversal sequences. For example, an attacker could submit an image name like ../../../etc/important_config.conf to delete files outside the designated image storage directory. Since no authentication is required, any attacker with network access to the InvokeAI API can execute this attack.
# Security patch from invokeai/app/services/image_files/image_files_disk.py
# Source: https://github.com/invoke-ai/invokeai/commit/5440c037674882b2ab7acd59087e9bb04b49657a
except Exception as e:
raise ImageFileDeleteException from e
- # TODO: make this a bit more flexible for e.g. cloud storage
def get_path(self, image_name: str, thumbnail: bool = False) -> Path:
- path = self.__output_folder / image_name
+ base_folder = self.__thumbnails_folder if thumbnail else self.__output_folder
+ filename = get_thumbnail_name(image_name) if thumbnail else image_name
- if thumbnail:
- thumbnail_name = get_thumbnail_name(image_name)
- path = self.__thumbnails_folder / thumbnail_name
+ # Strip any path information from the filename
+ basename = Path(filename).name
+
+ if basename != filename:
+ raise ValueError("Invalid image name, potential directory traversal detected")
+
+ image_path = base_folder / basename
+
+ if not resolved_image_path.is_relative_to(resolved_base):
+ raise ValueError("Image path outside outputs folder, potential directory traversal detected")
- return path
+ return resolved_image_path
The patch implements two critical safeguards: stripping path components from filenames and verifying the resolved path remains within the designated base folder using is_relative_to().
Detection Methods for CVE-2024-11042
Indicators of Compromise
- Unexpected file deletions on systems running InvokeAI, particularly of configuration files, SSH keys, or databases
- HTTP POST requests to /api/v1/images/delete containing path traversal sequences such as ../ or URL-encoded variants (%2e%2e%2f)
- Application logs showing file deletion errors for paths outside the expected image output directories
- Missing critical system files or configuration data following InvokeAI API activity
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing directory traversal patterns in the image name parameter
- Monitor InvokeAI application logs for ValueError exceptions related to "potential directory traversal detected" (in patched versions)
- Set up file integrity monitoring (FIM) on critical system files to detect unauthorized deletions
- Analyze HTTP access logs for suspicious patterns in POST requests to /api/v1/images/delete
Monitoring Recommendations
- Enable verbose logging for the InvokeAI API to capture all file deletion requests with their full parameters
- Deploy intrusion detection systems (IDS) with signatures for path traversal attack patterns
- Implement real-time alerting for any file system changes outside designated InvokeAI directories
- Monitor for anomalous network traffic patterns indicating exploitation attempts
How to Mitigate CVE-2024-11042
Immediate Actions Required
- Upgrade InvokeAI to a version containing the security fix at commit 5440c037674882b2ab7acd59087e9bb04b49657a or later
- Restrict network access to the InvokeAI API to trusted IP addresses or internal networks only
- Implement reverse proxy authentication in front of the InvokeAI API if public access is required
- Audit file permissions to ensure the InvokeAI process runs with minimal required privileges
Patch Information
The vulnerability has been addressed in the official InvokeAI repository. The security fix is available in GitHub commit 5440c03767. The patch implements proper input sanitization by extracting only the basename from user-supplied filenames and validates that resolved paths remain within the authorized base folder using Python's Path.is_relative_to() method. Additional technical details are available in the Huntr bounty submission.
Workarounds
- Deploy a reverse proxy (nginx, Apache) with ModSecurity or similar WAF to filter requests containing path traversal patterns before they reach InvokeAI
- Restrict the InvokeAI service to listen only on localhost and require VPN or SSH tunnel access
- Run InvokeAI in a containerized environment with limited filesystem access to minimize impact of exploitation
- Implement network segmentation to isolate InvokeAI servers from critical infrastructure
# Example nginx configuration to block path traversal attempts
location /api/v1/images/delete {
# Block requests containing directory traversal patterns
if ($request_body ~* "\.\.\/|\.\.\\|%2e%2e%2f|%2e%2e\/|\.\.%2f") {
return 403;
}
# Restrict access to internal networks only
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
proxy_pass http://127.0.0.1:9090;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
