Cyber Resilience

CVE-2024-12029

CriticalRCE

Published: 20 March 2025

Published
20 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4416 97.6th percentile
Risk Priority 46 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12029 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A remote code execution vulnerability affects InvokeAI versions 5.3.1 through 5.4.2 in the /api/v2/models/install API endpoint. The root cause is unsafe deserialization of model files via torch.load without validation or sandboxing, which permits arbitrary code execution when a crafted file is processed. The flaw is tracked as CWE-502 and carries a CVSS 3.0 score of 9.8.

An unauthenticated remote attacker can upload a malicious model file containing embedded executable payloads. Upon loading through the affected API, the payload executes in the context of the InvokeAI process, granting the attacker full control over the host system including confidentiality, integrity, and availability impacts.

The vulnerability is resolved in version 5.4.3. Public references include the fixing commit at https://github.com/invoke-ai/invokeai/commit/756008dc5899081c5aa51e5bd8f24c1b3975a59e and the detailed Huntr report at https://huntr.com/bounties/9b790f94-1b1b-4071-bc27-78445d1a87a3, which document the patch and responsible disclosure.

The affected component is an open-source AI image-generation server that routinely ingests untrusted model weights, and the current EPSS of 0.4416 with a recorded peak of 0.4913 reflects sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by embedding malicious code in model…

more

files, which is executed upon loading. This issue is fixed in version 5.4.3.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, invokeai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1027.009 Embedded Payloads Stealth
Adversaries may embed payloads within other files to conceal malicious content from defenses.
Why these techniques?

The vulnerability enables remote code execution (T1190) via unsafe deserialization in a web API endpoint, facilitates Python interpreter abuse (T1059.006) through torch.load execution of embedded malicious code, allows ingress tool transfer (T1105) by uploading malicious model files, and supports embedded payloads obfuscation (T1027.009) within model files.

CVEs Like This One

CVE-2026-26220Shared CWE-502
CVE-2026-31234Shared CWE-502
CVE-2026-31072Shared CWE-502
CVE-2025-27780Shared CWE-502
CVE-2025-50460Shared CWE-502
CVE-2024-9701Shared CWE-502
CVE-2025-27779Shared CWE-502
CVE-2026-49121Shared CWE-502
CVE-2025-27781Shared CWE-502
CVE-2025-62373Shared CWE-502

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring identification, reporting, and correction of the unsafe deserialization flaw through timely patching to version 5.4.3.

prevent

Prevents remote code execution by enforcing validation of untrusted model file inputs prior to deserialization with torch.load.

prevent

Protects against execution of malicious code embedded in model files uploaded via the /api/v2/models/install API using malicious code protection mechanisms.

References