CVE-2024-12029
Published: 20 March 2025
Summary
CVE-2024-12029 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A remote code execution vulnerability affects InvokeAI versions 5.3.1 through 5.4.2 in the /api/v2/models/install API endpoint. The root cause is unsafe deserialization of model files via torch.load without validation or sandboxing, which permits arbitrary code execution when a crafted file is processed. The flaw is tracked as CWE-502 and carries a CVSS 3.0 score of 9.8.
An unauthenticated remote attacker can upload a malicious model file containing embedded executable payloads. Upon loading through the affected API, the payload executes in the context of the InvokeAI process, granting the attacker full control over the host system including confidentiality, integrity, and availability impacts.
The vulnerability is resolved in version 5.4.3. Public references include the fixing commit at https://github.com/invoke-ai/invokeai/commit/756008dc5899081c5aa51e5bd8f24c1b3975a59e and the detailed Huntr report at https://huntr.com/bounties/9b790f94-1b1b-4071-bc27-78445d1a87a3, which document the patch and responsible disclosure.
The affected component is an open-source AI image-generation server that routinely ingests untrusted model weights, and the current EPSS of 0.4416 with a recorded peak of 0.4913 reflects sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7245
Vulnerability details
A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by embedding malicious code in model…
more
files, which is executed upon loading. This issue is fixed in version 5.4.3.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, invokeai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote code execution (T1190) via unsafe deserialization in a web API endpoint, facilitates Python interpreter abuse (T1059.006) through torch.load execution of embedded malicious code, allows ingress tool transfer (T1105) by uploading malicious model files, and supports embedded payloads obfuscation (T1027.009) within model files.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring identification, reporting, and correction of the unsafe deserialization flaw through timely patching to version 5.4.3.
Prevents remote code execution by enforcing validation of untrusted model file inputs prior to deserialization with torch.load.
Protects against execution of malicious code embedded in model files uploaded via the /api/v2/models/install API using malicious code protection mechanisms.