CVE-2025-6237

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions invokeai versions v6.0.0a1 and below

Description A vulnerability allows attackers to perform path traversal and arbitrary file deletion. This is achieved via the GET /api/v1/images/download/{bulk download item name} endpoint by manipulating the filename arguments. Attackers can read and delete any files on the server, including critical system files. This results in high impacts to confidentiality, integrity, and availability.

Recommendations For versions v6.0.0a1 and below, restrict access to the /api/v1/images/download/{bulk download item name} endpoint. As a temporary workaround, consider disabling the /api/v1/images/download/{bulk download item name} endpoint until a patch is available.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-73CWE-22

Related Identifiers

CVE-2025-6237

GHSA-VV9C-XXG7-WMV7

Affected Products

Invokeai

CVE-2025-6237

Weakness Enumeration

Related Identifiers

Affected Products

References · 12