FKIE_CVE-2024-10821

Vulnerability from fkie_nvd - Published: 2025-03-20 10:15 - Updated: 2025-10-15 13:15
Severity ?
7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A Denial of Service (DoS) vulnerability in the multipart request boundary processing mechanism of the Invoke-AI server (version v5.0.1) allows unauthenticated attackers to cause excessive resource consumption. The server fails to handle excessive characters appended to the end of multipart boundaries, leading to an infinite loop and a complete denial of service for all users. The affected endpoint is `/api/v1/images/upload`.
References
security@huntr.devhttps://huntr.com/bounties/0ac24835-c4c0-4f11-938a-d5641dfb80b2
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A Denial of Service (DoS) vulnerability in the multipart request boundary processing mechanism of the Invoke-AI server (version v5.0.1) allows unauthenticated attackers to cause excessive resource consumption. The server fails to handle excessive characters appended to the end of multipart boundaries, leading to an infinite loop and a complete denial of service for all users. The affected endpoint is `/api/v1/images/upload`."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de denegaci\u00f3n de servicio (DoS) en el mecanismo de procesamiento de los l\u00edmites de solicitud multiparte del servidor Invoke-AI (versi\u00f3n v5.0.1) permite a atacantes no autenticados consumir recursos excesivamente. El servidor no gestiona el exceso de caracteres a\u00f1adidos al final de los l\u00edmites multiparte, lo que genera un bucle infinito y una denegaci\u00f3n de servicio completa para todos los usuarios. El endpoint afectado es `/api/v1/images/upload`."
    }
  ],
  "id": "CVE-2024-10821",
  "lastModified": "2025-10-15T13:15:37.087",
  "metrics": {
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security@huntr.dev",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-03-20T10:15:20.130",
  "references": [
    {
      "source": "security@huntr.dev",
      "url": "https://huntr.com/bounties/0ac24835-c4c0-4f11-938a-d5641dfb80b2"
    }
  ],
  "sourceIdentifier": "security@huntr.dev",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-835"
        }
      ],
      "source": "security@huntr.dev",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.