Cyber Resilience

CVE-2024-12375

MediumPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
30 October 2025
KEV Added
Patch
CVSS Score v3 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0172 82.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12375 is a medium-severity Absolute Path Traversal (CWE-36) vulnerability in Automatic1111 Stable-Diffusion-Webui. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 17.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.

EU & UK References

Vulnerability details

A local file inclusion vulnerability was identified in automatic1111/stable-diffusion-webui, affecting version git 82a973c. This vulnerability allows an attacker to read arbitrary files on the system by sending a specially crafted request to the application.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: automatic1111, stable-diffusion-webui

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

LFI vulnerability (CVE-2024-12375) in a web UI enables remote exploitation of public-facing application (T1190) to perform arbitrary file reads from local system (T1005).

Affected Assets

automatic1111
stable-diffusion-webui
2024-07-27

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References