Invoke-AI Server Denial-of-Service Vulnerability via Multipart Request Boundary Processing

A denial-of-service vulnerability has been identified in the Invoke-AI server in version 5.0.1. This issue arises in the multipart request boundary processing, where the server fails to properly manage excessive characters added to the end of multipart boundaries. This flaw allows unauthenticated attackers to create malformed multipart requests that include arbitrary characters at the boundary's end. The server processes these extra characters in an infinite loop, leading to excessive resource consumption and a complete denial of service for all users. The vulnerability affects the '/api/v1/images/upload' endpoint.

Impact

Exploitation of this vulnerability causes significant resource exhaustion, leading to a complete denial of service where the application becomes unresponsive for all users.

Reproduction

The vulnerability can be reproduced by sending a multipart request to the '/api/v1/images/upload' endpoint with an excessive number of characters appended to the boundary. This can be done using a Python script that automates the process, such as one that sends a POST request with a large number of characters added to the multipart boundary.