CVE-2024-11043
📋 TL;DR
A Denial of Service vulnerability in InvokeAI allows attackers to crash the web interface by sending oversized payloads to board update endpoints. This affects all users running vulnerable versions of InvokeAI, particularly those with exposed web interfaces. The vulnerability makes affected boards unmanageable and requires restarting the service to recover.
💻 Affected Systems
- invoke-ai/invokeai
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption where the InvokeAI web interface becomes completely unresponsive, requiring service restart and potentially causing data loss for in-progress operations.
Likely Case
Targeted boards become inaccessible and unmanageable, requiring administrator intervention to restart the service and restore functionality.
If Mitigated
Service remains available with proper input validation and rate limiting in place.
🎯 Exploit Status
Exploitation requires sending HTTP PATCH requests with oversized payloads to specific endpoints. No authentication bypass is needed if the endpoint is accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check latest InvokeAI releases after v5.0.2
Vendor Advisory: https://huntr.com/bounties/9270900a-b8b7-402f-aee5-432d891e5648
Restart Required: Yes
Instructions:
1. Update InvokeAI to the latest patched version. 2. Restart the InvokeAI service. 3. Verify the fix by testing with normal-sized payloads.
🔧 Temporary Workarounds
Input Validation via Web Application Firewall
allConfigure WAF rules to reject PATCH requests with oversized board_name payloads
# WAF-specific configuration required
Rate Limiting
allImplement rate limiting on /api/v1/boards/* endpoints to prevent rapid exploitation
# Configure in reverse proxy or application settings
🧯 If You Can't Patch
- Implement strict input validation at the reverse proxy/load balancer level
- Restrict access to InvokeAI API endpoints to trusted networks only
🔍 How to Verify
Check if Vulnerable:
Send a PATCH request to /api/v1/boards/{board_id} with an excessively large board_name payload (e.g., >10KB) and observe if the UI becomes unresponsive.Check Version:
Check InvokeAI version in web interface or run appropriate version check command for your installation methodVerify Fix Applied:
After patching, attempt the same oversized payload test and verify the request is rejected with proper error handling.📡 Detection & Monitoring
Log Indicators:
- Large payload sizes in PATCH requests to board endpoints
- HTTP 413 errors (if payload size limits are enforced)
- Service restart events following API requests
Network Indicators:
- Unusually large HTTP PATCH requests to /api/v1/boards/* endpoints
- Sudden drop in API responsiveness
SIEM Query:
http.method:PATCH AND http.uri:"/api/v1/boards/*" AND http.request_body_size > 10000