CVE-2024-11042: 
Python vulnerability analysis and mitigation

In invoke-ai/invokeai version v5.0.2, the web API POST /api/v1/images/delete endpoint contains a vulnerability that enables Arbitrary File Deletion. This security flaw was discovered and disclosed in March 2025, affecting the InvokeAI application (NVD).

The vulnerability is classified as an Improper Input Validation (CWE-20) issue. The affected endpoint allows unauthorized attackers to delete arbitrary files on the server through directory traversal. The severity of this vulnerability has been assessed with a CVSS v3.0 base score of 9.1 (CRITICAL) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (NVD).

The vulnerability enables attackers to delete critical system files, including SSH keys, SQLite databases, and configuration files. This can severely impact the integrity and availability of applications relying on these files (NVD).

A patch has been implemented to prevent directory traversal attacks through two safeguards: checking for directory traversal characters in image names and verifying that resulting paths are relative to the base folder. The fix is available in the repository commit (GitHub Commit).