CVE-2025-6237
📋 TL;DR
This vulnerability in InvokeAI allows attackers to perform path traversal attacks through the image download endpoint, enabling them to read and delete any files on the server. Attackers can access sensitive files like SSH keys, databases, and configuration files. All systems running InvokeAI version v6.0.0a1 and below are affected.
💻 Affected Systems
- InvokeAI
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, SSH key theft leading to lateral movement, and potential data destruction.
Likely Case
Data exfiltration of sensitive files and deletion of application data causing service disruption.
If Mitigated
Limited impact with proper file permissions and network segmentation preventing access to critical system files.
🎯 Exploit Status
Exploitation requires only HTTP GET requests with crafted filenames.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v6.0.0a2 or later
Vendor Advisory: https://huntr.com/bounties/54ac9589-7c88-4fd4-8512-8b2f19fbaedf
Restart Required: Yes
Instructions:
1. Update InvokeAI to v6.0.0a2 or later. 2. Restart the InvokeAI service. 3. Verify the patch is applied by checking the version.
🔧 Temporary Workarounds
Disable vulnerable endpoint
allBlock access to the /api/v1/images/download/ endpoint
# Add to web server config (nginx example):
location /api/v1/images/download/ { deny all; }
# Or use firewall rules:
iptables -A INPUT -p tcp --dport 9090 -m string --string "/api/v1/images/download/" --algo bm -j DROP
Implement input validation
allAdd filename validation to prevent path traversal
# In application code, validate filename parameter:
import os
if '..' in filename or filename.startswith('/'):
raise ValueError('Invalid filename')
🧯 If You Can't Patch
- Implement strict file permissions to limit the web server user's access to only necessary directories
- Deploy network segmentation to isolate the InvokeAI instance from critical systems
🔍 How to Verify
Check if Vulnerable:
Test if you can access files outside the intended directory by requesting /api/v1/images/download/../../../etc/passwdCheck Version:
invokeai --versionVerify Fix Applied:
After patching, attempt the same path traversal test and verify it returns an error instead of file contents📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to /api/v1/images/download/ with '..' in the filename parameter
- Unusual file access patterns from the web server process
Network Indicators:
- HTTP GET requests to /api/v1/images/download/ containing path traversal sequences (../)
SIEM Query:
source="web_server_logs" AND uri="/api/v1/images/download/*" AND (uri="*../*" OR uri="*/..*")