Invoke AI Web API Arbitrary File Deletion Vulnerability

A vulnerability allowing arbitrary file deletion has been identified in the Invoke AI web API, specifically in version 5.0.2. The issue arises in the 'POST /api/v1/images/delete' endpoint, where unauthorized attackers can delete arbitrary files on the server. This vulnerability could be exploited to remove critical or sensitive files, such as SSH keys, SQLite databases, and configuration files, potentially disrupting applications that depend on these files.

Impact

Exploitation of this vulnerability allows any user to delete arbitrary files on the server, including sensitive system files. This could lead to the removal of SSH keys, SQLite databases, and important configuration files, thereby affecting the integrity and availability of applications that rely on them.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/api/v1/images/delete' endpoint with a JSON payload specifying the names of the files to be deleted. The 'image_names' field can include absolute or relative paths to the files. The request must be made to a server running Invoke AI version 5.0.2.

Remediation

Users can update to Invoke AI version 5.3.0 or later, where this vulnerability has been fixed.