InvokeAI, Path Traversal, CVE-2025-XXXXX (High)

Listen to this Post

The vulnerability in InvokeAI v6.0.0a1 and below resides in the `GET /api/v1/images/download/{bulk_download_item_name}` endpoint. This endpoint fails to properly sanitize user input passed via the `bulk_download_item_name` URL parameter. An attacker can craft a request using path traversal sequences (e.g., ../../) within this parameter. The application, lacking adequate validation, uses this malicious input to construct a filesystem path. This allows the attacker to break out of the intended directory and specify any file on the server. Consequently, the endpoint can be abused to read the contents of sensitive files or trigger their deletion, compromising the system’s confidentiality, integrity, and availability by targeting critical assets like SSH keys or configuration files.
Platform: InvokeAI
Version: <=v6.0.0a1
Vulnerability: Path Traversal
Severity: High

date: 2025-09-18

Prediction: 2025-10-02

What Undercode Say:

curl http://TARGET/api/v1/images/download/..%2F..%2F..%2Fetc%2Fpasswd
import requests
response = requests.get('http://TARGET/api/v1/images/download/../../../path/to/ssh_key')
print(response.text)

How Exploit:

Craft malicious URL with traversal sequences.

Protection from this CVE:

Implement input sanitization.

Impact:

Arbitrary file read/delete.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top