CVE-2024-12029 Overview
A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by embedding malicious code in model files, which is executed upon loading. This issue is fixed in version 5.4.3.
Critical Impact
This insecure deserialization vulnerability allows remote attackers to achieve arbitrary code execution on systems running vulnerable InvokeAI versions by uploading maliciously crafted model files, potentially leading to complete system compromise.
Affected Products
- InvokeAI versions 5.3.1 through 5.4.2
- Systems using the /api/v2/models/install API endpoint
- Environments loading untrusted PyTorch model files
Discovery Timeline
- 2025-03-20 - CVE CVE-2024-12029 published to NVD
- 2025-03-20 - Last updated in NVD database
Technical Details for CVE-2024-12029
Vulnerability Analysis
This vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and affects the model installation functionality in InvokeAI. The core issue stems from the application's use of PyTorch's torch.load() function to deserialize model files without implementing adequate security controls.
PyTorch's torch.load() function uses Python's pickle module under the hood for deserialization, which is inherently unsafe when processing untrusted data. When a model file is loaded via the /api/v2/models/install API endpoint, the application deserializes the content directly, allowing arbitrary Python objects to be instantiated and executed.
An attacker can craft a malicious model file containing serialized Python objects that execute arbitrary code when unpickled. Since this endpoint is exposed over the network and requires no authentication or user interaction to exploit, attackers can achieve remote code execution by simply sending a specially crafted model file to the vulnerable API.
Root Cause
The root cause of this vulnerability is the use of torch.load() for deserializing model files without implementing proper validation or sandboxing. PyTorch's documentation explicitly warns against loading models from untrusted sources because the underlying pickle serialization mechanism can execute arbitrary Python code during the deserialization process. The application failed to implement safeguards such as using weights_only=True parameter, validating file signatures, or restricting the types of objects that can be deserialized.
Attack Vector
The attack is network-based and exploits the /api/v2/models/install API endpoint. An attacker crafts a malicious model file by embedding a Python payload within a pickle-serialized object. When the target InvokeAI instance processes the model installation request and loads the malicious file using torch.load(), the embedded code executes with the privileges of the application process.
The attack flow involves:
- Creating a malicious pickle payload embedded within a model file structure
- Sending the crafted file to the vulnerable /api/v2/models/install endpoint
- The server deserializes the file using torch.load(), triggering code execution
- Attacker gains remote code execution on the target system
Technical details and the security fix can be found in the GitHub commit and the Huntr security bounty report.
Detection Methods for CVE-2024-12029
Indicators of Compromise
- Unusual HTTP POST requests to /api/v2/models/install endpoint containing suspicious file uploads
- Unexpected processes spawned by the InvokeAI application process
- Model files with unusual pickle object structures or embedded executable payloads
- Anomalous network connections originating from the InvokeAI server process
Detection Strategies
- Monitor and log all requests to the /api/v2/models/install API endpoint for unusual patterns or sources
- Implement file integrity monitoring on model directories to detect unauthorized modifications
- Deploy network intrusion detection rules to identify pickle deserialization attack patterns
- Use endpoint detection and response (EDR) solutions to monitor for suspicious child process creation from the InvokeAI application
Monitoring Recommendations
- Enable comprehensive logging for all API endpoints, particularly model installation operations
- Configure alerts for model file uploads from untrusted or external sources
- Monitor system calls and process creation events associated with the InvokeAI service
- Implement network segmentation to limit exposure of the model installation API
How to Mitigate CVE-2024-12029
Immediate Actions Required
- Upgrade InvokeAI to version 5.4.3 or later immediately
- If immediate upgrade is not possible, restrict network access to the /api/v2/models/install endpoint
- Audit recently installed model files for potential malicious content
- Review application logs for suspicious model installation activities
Patch Information
The vulnerability has been patched in InvokeAI version 5.4.3. The fix addresses the unsafe deserialization by implementing proper validation when loading model files. Organizations should upgrade to this version or later to remediate the vulnerability. The security patch is available in the GitHub commit 756008dc5899081c5aa51e5bd8f24c1b3975a59e.
Workarounds
- Restrict access to the /api/v2/models/install endpoint using firewall rules or reverse proxy configurations
- Only allow model installations from trusted internal sources and authenticated users
- Implement network segmentation to isolate InvokeAI instances from untrusted networks
- Consider disabling the model installation API entirely if not required for operations
# Example: Restrict access to model install endpoint using nginx
location /api/v2/models/install {
# Allow only from trusted internal network
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
