CNNVD-202509-3024 Information
Sep 18, 2025
cve
CNNVD ID
CNNVD-202509-3024
Related CVE
- CNNVD Published: 2025-09-18
Description (Chinese)
Invoke是InvokeAI开源的一个稳定扩散模型的领先创意引擎。 Invoke v6.0.0a1及之前版本存在安全漏洞,该漏洞源于GET /api/v1/images/download/{bulk_download_item_name}端点未正确处理文件名参数,可能导致路径遍历和任意文件删除攻击。
Description (English)
Invoke is the leading creative engine for a stable proliferation model at the Invokeai Open Source. Invoke v6.0.0a1 and previous versions have a security loophole, which stems from the incorrect processing of file name parameters by the endpoint of {GET /api/v1/images/download/{bulk download item name}, which may lead to the routing and removal of the attack by any file.
Hazard Level
High
Vulnerability Type
其他
Affected Vendor
银河樟坛
Published
2025-09-18
Last Modified
2026-02-24
References
https://huntr.com/bounties/54ac9589-7c88-4fd4-8512-8b2f19fbaedf
Patch
https://github.com/invoke-ai/InvokeAI/releases
Share on: