Miggo Logo
Miggo Vulnerability Database
CVE-2024-10821

CVE-2024-10821: InvokeAI has Denial of Service (DoS) vulnerability in `/api/v1/images/upload`

7.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2024-10821
GHSA ID
GHSA-6f6x-f56q-5xgv
EPSS Score
0.14729%
CWE
CWE-400
Published
3/20/2025
Updated
3/21/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
InvokeAIpip

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in the /api/v1/images/upload endpoint handled by upload_image. While the exact multipart parsing occurs in framework internals (python-multipart), the entry point for this attack surface is the upload_image function. The advisory directly references this code location (line 29 of images.py), and the function's lack of boundary validation/error handling makes it the vulnerable entry point for malformed multipart requests that trigger excessive resource consumption.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* **ni*l o* S*rvi** (*oS) vuln*r**ility in t** multip*rt r*qu*st *oun**ry pro**ssin* m****nism o* t** Invok*-*I s*rv*r (v*rsion v*.*.*) *llows un*ut**nti**t** *tt**k*rs to **us* *x**ssiv* r*sour** *onsumption. T** s*rv*r **ils to **n*l* *x**ssiv* ***

Reasoning

T** vuln*r**ility m*ni**sts in t** /*pi/v*/im***s/uplo** *n*point **n*l** *y uplo**_im***. W*il* t** *x**t multip*rt p*rsin* o**urs in *r*m*work int*rn*ls (pyt*on-multip*rt), t** *ntry point *or t*is *tt**k sur**** is t** uplo**_im*** *un*tion. T** *