CVE-2024-10821
📋 TL;DR
This CVE describes a Denial of Service vulnerability in Invoke-AI server v5.0.1 where unauthenticated attackers can send specially crafted multipart requests to the /api/v1/images/upload endpoint, causing the server to enter an infinite loop and consume excessive resources. This affects all users of vulnerable Invoke-AI servers, potentially rendering the service completely unavailable.
💻 Affected Systems
- Invoke-AI
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage for all users, requiring server restart and potentially causing data loss or corruption.
Likely Case
Temporary service disruption affecting all users until the server is restarted or the attack stops.
If Mitigated
Minimal impact with proper rate limiting, request validation, and monitoring in place.
🎯 Exploit Status
Exploitation requires sending specially crafted multipart requests with excessive characters in boundary parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v5.0.2 or later
Vendor Advisory: https://huntr.com/bounties/0ac24835-c4c0-4f11-938a-d5641dfb80b2
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Stop the Invoke-AI server. 3. Update to v5.0.2 or later using your package manager or from GitHub releases. 4. Restart the server. 5. Verify the fix by testing the upload endpoint.
🔧 Temporary Workarounds
Rate Limiting
allImplement rate limiting on the /api/v1/images/upload endpoint to prevent excessive requests.
# Configure rate limiting in your web server or application firewall
Request Validation
allAdd middleware to validate multipart request boundaries and reject malformed requests.
# Implement boundary validation in your application code
🧯 If You Can't Patch
- Implement network-level controls to restrict access to the vulnerable endpoint
- Deploy a WAF with rules to detect and block malformed multipart requests
🔍 How to Verify
Check if Vulnerable:
Check if running Invoke-AI server version v5.0.1 and the /api/v1/images/upload endpoint is accessible.Check Version:
invokeai --version or check package.json/version file in installation directoryVerify Fix Applied:
After patching, test the upload endpoint with normal and malformed requests to ensure it handles boundaries correctly without entering infinite loops.📡 Detection & Monitoring
Log Indicators:
- Excessive CPU/memory usage spikes
- Multiple failed upload attempts with malformed boundaries
- Server process hanging or restarting frequently
Network Indicators:
- Unusually large multipart requests to /api/v1/images/upload
- Multiple rapid requests from single IPs
SIEM Query:
source="invokeai.log" AND ("upload" OR "/api/v1/images/upload") AND ("timeout" OR "hang" OR "high_cpu")