{"data":{"id":"5711ffa8-1d0d-400a-9987-0aa3669ec8e1","title":"CVE-2024-12029: A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/i","summary":"InvokeAI versions 5.3.1 through 5.4.2 contain a remote code execution vulnerability (the ability for attackers to run commands on a system they don't own) in the model installation API. The flaw comes from unsafe deserialization (converting data back into usable code without checking if it's trustworthy) of model files using torch.load, which allows attackers to hide malicious code in model files that gets executed when loaded.","solution":"This issue is fixed in version 5.4.3. Users should update to version 5.4.3 or later.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-12029","publishedAt":"2025-03-20T10:15:26.157Z","cveId":"CVE-2024-12029","cweIds":["CWE-502"],"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["model_poisoning"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["Invoke AI","InvokeAI"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.4913,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-586"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","availability"],"aiComponentTargeted":"model","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}