CVE-2025-6237
BaseFortify
Publication date: 2025-09-18
Last updated on: 2025-09-18
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| invokeai | invokeai | v6.0.0a1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in invokeai version v6.0.0a1 and below, where attackers can exploit the GET /api/v1/images/download/{bulk_download_item_name} endpoint to perform path traversal and arbitrary file deletion. By manipulating the filename arguments, attackers can access and delete any files on the server, including critical system files such as SSH keys, databases, and configuration files.
How can this vulnerability impact me? :
The vulnerability can lead to severe impacts on confidentiality, integrity, and availability of the affected system. Attackers can read sensitive files, delete important data, and compromise critical system files, potentially causing system outages, data loss, and unauthorized access to sensitive information.