CVE-2024-12029
Published: 20 March 2025
Summary
CVE-2024-12029 is a uncategorised-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is N/A.
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring identification, reporting, and correction of the unsafe deserialization flaw through timely patching to version 5.4.3.
Prevents remote code execution by enforcing validation of untrusted model file inputs prior to deserialization with torch.load.
Protects against execution of malicious code embedded in model files uploaded via the /api/v2/models/install API using malicious code protection mechanisms.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote code execution (T1190) via unsafe deserialization in a web API endpoint, facilitates Python interpreter abuse (T1059.006) through torch.load execution of embedded malicious code, allows ingress tool transfer (T1105) by uploading malicious model files, and supports embedded payloads obfuscation (T1027.009) within model files.
NVD Description
A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by embedding malicious code in model…
more
files, which is executed upon loading. This issue is fixed in version 5.4.3.
Deeper analysisAI
CVE-2024-12029 is a remote code execution vulnerability affecting invoke-ai/InvokeAI versions 5.3.1 through 5.4.2. The issue stems from unsafe deserialization in the /api/v2/models/install API endpoint, where model files are loaded using torch.load without proper validation. This allows arbitrary code embedded in model files to execute during the loading process, classified under CWE-502 (Deserialization of Untrusted Data).
Remote attackers can exploit this vulnerability by crafting malicious model files and tricking users or automated processes into installing them via the affected API. Successful exploitation leads to arbitrary code execution on the server hosting InvokeAI, potentially granting full control over the system depending on the privileges of the running process.
The vulnerability has been addressed in InvokeAI version 5.4.3, as detailed in the project's GitHub commit 756008dc5899081c5aa51e5bd8f24c1b3975a59e. Additional details are available via the Huntr bounty report at https://huntr.com/bounties/9b790f94-1b1b-4071-bc27-78445d1a87a3, which covers discovery and remediation.
This flaw is particularly relevant to AI/ML workflows, as InvokeAI is a creative engine for Stable Diffusion models relying on PyTorch, highlighting risks in unvalidated model loading within machine learning pipelines. No public evidence of real-world exploitation has been reported as of the CVE publication on 2025-03-20.
Details
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- InvokeAI is an open-source AI platform for running Stable Diffusion models for image generation, and the vulnerability affects its model installation API using unsafe torch.load deserialization.