CVE-2024-32022 – CVE-2024-32022 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2024-32022?

CVE-2024-32022 has a CVSS score of 9.1 (CRITICAL). CVE-2024-32022 is a command injection vulnerability in Kohya_ss, a GUI for Stable Diffusion trainers. Attackers can execute arbitrary commands on affected systems by exploiting improper input validation in basic_caption_gui.py. This affects all users running vulnerable versions of Kohya_ss.

📋 TL;DR

CVE-2024-32022 is a command injection vulnerability in Kohya_ss, a GUI for Stable Diffusion trainers. Attackers can execute arbitrary commands on affected systems by exploiting improper input validation in basic_caption_gui.py. This affects all users running vulnerable versions of Kohya_ss.

💻 Affected Systems

Products:

Kohya_ss

Versions: All versions before 23.1.5

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of Kohya_ss before the patched version, regardless of configuration.

📦 What is this software?

Kohya Ss by Bmaltais

View all CVEs affecting Kohya Ss →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary commands with the privileges of the Kohya_ss process, potentially leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Remote code execution allowing attackers to install malware, exfiltrate data, or pivot to other systems on the network.

🟢

If Mitigated

Limited impact if system runs with minimal privileges, network segmentation is in place, and proper input validation prevents exploitation.

🌐 Internet-Facing: HIGH - If Kohya_ss is exposed to the internet, attackers can remotely exploit this vulnerability without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this, but requires network access to the Kohya_ss instance.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in a GUI component and exploitation details are publicly available in the advisory, making exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 23.1.5

Vendor Advisory: https://github.com/bmaltais/kohya_ss/security/advisories/GHSA-m6jq-7j4v-2fg3

Restart Required: Yes

Instructions:

1. Stop the Kohya_ss application. 2. Update to version 23.1.5 or later using: pip install --upgrade kohya_ss. 3. Restart the application.

🔧 Temporary Workarounds

Network Isolation

all

Restrict network access to Kohya_ss to trusted IP addresses only

# Example firewall rule for Linux: sudo iptables -A INPUT -p tcp --dport [KOHYA_PORT] -s [TRUSTED_IP] -j ACCEPT
# Example firewall rule for Windows: New-NetFirewallRule -DisplayName "Kohya_ss Access" -Direction Inbound -Protocol TCP -LocalPort [KOHYA_PORT] -RemoteAddress [TRUSTED_IP] -Action Allow

Run with Limited Privileges

all

Run Kohya_ss with a non-privileged user account to limit potential damage

# Linux: sudo -u [non_privileged_user] python [kohya_ss_script]
# Windows: Run as a standard user account without administrative privileges

🧯 If You Can't Patch

Disable or remove Kohya_ss until patching is possible
Implement strict network segmentation and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check the Kohya_ss version: python -c "import kohya_ss; print(kohya_ss.__version__)" and compare to 23.1.5

Check Version:

python -c "import kohya_ss; print(kohya_ss.__version__)"

Verify Fix Applied:

Confirm version is 23.1.5 or later using the version check command and verify the basic_caption_gui.py file contains the security fixes from commit 831af8babeb75faff62bcc6a8c6a4f80354f1ff1

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns in system logs
Suspicious processes spawned by the Kohya_ss Python process
Unexpected network connections from the Kohya_ss host

Network Indicators:

Unusual outbound connections from Kohya_ss host
Traffic to known malicious IPs or domains

SIEM Query:

process_name:"python" AND parent_process_name:"kohya_ss" AND (command_line:"*cmd*" OR command_line:"*powershell*" OR command_line:"*bash*")

📊 Metadata

CVE ID: CVE-2024-32022

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-77

Published: April 16, 2024

Last Updated: September 19, 2025

🔗 References

https://github.com/bmaltais/kohya_ss/commit/831af8babeb75faff62bcc6a8c6a4f80354f1ff1 Patch
https://github.com/bmaltais/kohya_ss/security/advisories/GHSA-m6jq-7j4v-2fg3 Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2024-019_GHSL-2024-024_kohya_ss Exploit,Third Party Advisory
https://github.com/bmaltais/kohya_ss/commit/831af8babeb75faff62bcc6a8c6a4f80354f1ff1 Patch
https://github.com/bmaltais/kohya_ss/security/advisories/GHSA-m6jq-7j4v-2fg3 Third Party Advisory
https://securitylab.github.com/advisories/GHSL-2024-019_GHSL-2024-024_kohya_ss Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-32022, you might also want to check these: