CVE-2025-6237

Path Traversal and Arbitrary File Deletion in invoke-ai/invokeai

CVSS 9.8 CRITICALEPSS 0.4%CWE-73

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.8EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

18 Sep 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

A vulnerability in invokeai version v6.0.0a1 and below allows attackers to perform path traversal and arbitrary file deletion via the GET /api/v1/images/download/{bulk_download_item_name} endpoint. By manipulating the filename arguments, attackers can read and delete any files on the server, including critical system files such as SSH keys, databases, and configuration files. This vulnerability results in high confidentiality, integrity, and availability impacts.

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

invoke-ai · invoke-ai/invokeai

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://huntr.com/bounties/54ac9589-7c88-4fd4-8512-8b2f19fbaedf