CVE-2024-11043 — InvokeAI Uncontrolled Resource Consumption vulnerability

Description

A Denial of Service (DoS) vulnerability was discovered in the /api/v1/boards/{board_id} endpoint of invoke-ai/invokeai version v5.0.2. This vulnerability occurs when an excessively large payload is sent in the board_name field during a PATCH request. By sending a large payload, the UI becomes unresponsive, rendering it impossible for users to interact with or manage the affected board. Additionally, the option to delete the board becomes inaccessible, amplifying the severity of the issue.

How to fix CVE-2024-11043

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2024-11043 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 5.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-11043
PATCHgithub.com/invoke-ai/InvokeAI
WEBgithub.com/invoke-ai/InvokeAI/blob/b79f2a4e4f183db9016584813748a69d34d62a26/invokeai/app/services/shared/invocation_context.py#L76
WEBhuntr.com/bounties/9270900a-b8b7-402f-aee5-432d891e5648