invoke-ai/invokeai Denial-of-Service Vulnerability via Large Payload in Board Name Field

A denial-of-service vulnerability has been identified in the invoke-ai/invokeai application, specifically in version 5.0.2. The issue arises in the /api/v1/boards/{board_id} endpoint when a PATCH request is made with an excessively large payload in the board_name field. This overload causes the user interface to freeze, making it impossible for users to manage the affected board or access the delete option. The vulnerability not only disrupts user interaction but can also lead to long-term clutter in the system by creating boards that cannot be removed through normal channels.

Impact

Exploitation of this vulnerability causes a complete breakdown of the user interface for the affected board, making it impossible to manage or delete. This UI freeze can lead to permanent denial-of-service, as the board remains stuck in the system unless manually removed from the backend. Additionally, sending large payloads can deplete server resources, potentially causing system-wide slowdowns or crashes. In production environments, this could disrupt operations and require significant administrative effort to resolve.

Reproduction

To reproduce this vulnerability, first create a new board by sending a POST request to the /api/v1/boards/ endpoint with a normal-sized board_name. Once the board is created, send a PATCH request to the /api/v1/boards/{board_id} endpoint, including a board_name payload of approximately 50 million characters. This will cause the user interface to become unresponsive, with essential management features, including the delete option, becoming inaccessible.