{"id":"PYSEC-2026-359","summary":"InvokeAI has External Control of File Name or Path","details":"### Path Traversal Vulnerability in InvokeAI\n\nA path traversal vulnerability in **InvokeAI** (versions \u003c 6.7.0) allows an unauthenticated remote attacker to read files outside the intended media directory via the **bulk downloads** API.\n \nThe endpoint accepts a user-controlled file/item name and concatenates it into a filesystem path without proper canonicalization or allow-listing. By supplying sequences such as `../` (or absolute paths), an attacker can cause the server to traverse directories and return arbitrary files.\n\nIn certain storage or back-end configurations, abusing attacker-controlled paths can also lead to unintended overwriting or deletion of files referenced by the crafted path.\n\nThe issue is fixed in **6.7.0**, which normalizes and validates input paths and rejects traversal attempts.\n\n**Affected versions:** `\u003c 6.7.0`\n**Patched version:** `6.7.0`","aliases":["CVE-2025-6237","GHSA-vv9c-xxg7-wmv7"],"modified":"2026-06-29T12:15:22.699465289Z","published":"2026-06-29T11:50:37.522085Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-6237"},{"type":"WEB","url":"https://github.com/invoke-ai/InvokeAI/pull/8548/commits/eff565ae6ace1c8458f187245690bff0513f1b9e"},{"type":"PACKAGE","url":"https://github.com/invoke-ai/InvokeAI"},{"type":"WEB","url":"https://github.com/invoke-ai/InvokeAI/blob/v6.0.0a1/invokeai/app/api/routers/images.py#L493-L524"},{"type":"WEB","url":"https://github.com/invoke-ai/InvokeAI/releases/tag/v6.7.0"},{"type":"WEB","url":"https://huntr.com/bounties/54ac9589-7c88-4fd4-8512-8b2f19fbaedf"},{"type":"PACKAGE","url":"https://pypi.org/project/invokeai"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-vv9c-xxg7-wmv7"}],"affected":[{"package":{"name":"invokeai","ecosystem":"PyPI","purl":"pkg:pypi/invokeai"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.7.0"}]}],"versions":["2.2.4.5","2.2.4.6","2.2.4.7","2.2.5","2.3.0","2.3.0a0","2.3.0a1","2.3.0a2","2.3.0a3","2.3.0rc3","2.3.0rc4","2.3.0rc5","2.3.0rc6","2.3.0rc7","2.3.1","2.3.1.post1","2.3.1.post2","2.3.1rc4","2.3.2","2.3.2.post1","2.3.3","2.3.3rc1","2.3.4","2.3.4.post1","2.3.4a0","2.3.4rc1","2.3.5","2.3.5.post1","2.3.5.post2","2.3.5rc1","3.0.0","3.0.1","3.0.1.post1","3.0.1.post2","3.0.1.post3","3.0.1rc1","3.0.1rc2","3.0.2","3.0.2.post1","3.0.2a1","3.0.2rc1","3.1.0","3.1.1","3.1.1rc1","3.2.0","3.3.0","3.3.0.post1","3.3.0.post2","3.3.0.post3","3.4.0","3.4.0.post1","3.4.0.post2","3.4.0rc2","3.4.0rc3","3.4.0rc4","3.5.0","3.5.0rc1","3.5.0rc2","3.5.0rc3","3.5.1","3.6.0","3.6.0rc1","3.6.0rc2","3.6.0rc3","3.6.0rc4","3.6.0rc5","3.6.0rc6","3.6.1","3.6.2","3.6.3","3.6.3rc1","3.7.0","4.0.0","4.0.0rc1","4.0.0rc2","4.0.0rc4","4.0.0rc5","4.0.0rc6","4.0.1","4.0.2","4.0.3","4.0.4","4.1.0","4.2.0","4.2.0a1","4.2.0a2","4.2.0a3","4.2.0a4","4.2.0b1","4.2.0b2","4.2.1","4.2.2","4.2.2.post1","4.2.3","4.2.4","4.2.5","4.2.6","4.2.6.post1","4.2.6a1","4.2.6rc1","4.2.7","4.2.7.post1","4.2.7rc1","4.2.8","4.2.8rc1","4.2.8rc2","4.2.9","4.2.9.dev10","4.2.9.dev11","4.2.9.dev12","4.2.9.dev20240823","4.2.9.dev20240824","4.2.9.dev3","4.2.9.dev4","4.2.9.dev5","4.2.9.dev6","4.2.9.dev7","4.2.9.dev8","4.2.9.dev9","4.2.9rc1","4.2.9rc2","5.0.0","5.0.0.dev13","5.0.0a1","5.0.0a2","5.0.0a3","5.0.0a4","5.0.0a5","5.0.0a6","5.0.0a7","5.0.0a8","5.0.0rc1","5.0.0rc2","5.0.1","5.0.2","5.1.0","5.1.0rc1","5.1.0rc2","5.1.0rc3","5.1.0rc4","5.1.0rc5","5.1.1","5.10.0","5.10.0.dev1","5.10.0.dev2","5.10.0.dev3","5.10.0.dev4","5.10.0a1","5.10.0rc1","5.10.1","5.11.0","5.11.0rc1","5.11.0rc2","5.12.0","5.12.0rc1","5.12.0rc2","5.13.0","5.13.0rc1","5.13.0rc2","5.13.0rc3","5.14.0","5.15.0","5.2.0","5.2.0rc1","5.2.0rc2","5.3.0","5.3.0rc1","5.3.0rc2","5.3.1","5.3.1rc1","5.4.0","5.4.1","5.4.1rc1","5.4.1rc2","5.4.2","5.4.2rc1","5.4.3","5.4.3rc1","5.4.3rc2","5.4.4rc1","5.5.0","5.5.0rc1","5.6.0","5.6.0rc1","5.6.0rc2","5.6.0rc3","5.6.0rc4","5.6.1","5.6.1rc1","5.6.2","5.7.0","5.7.0a1","5.7.0rc1","5.7.0rc2","5.7.1","5.7.2","5.7.2rc1","5.7.2rc2","5.8.0","5.8.0a1","5.8.0a2","5.8.0rc1","5.8.1","5.9.0","5.9.0rc1","5.9.0rc2","5.9.1","6.0.0","6.0.0a1","6.0.0a10","6.0.0a2","6.0.0a3","6.0.0a4","6.0.0a5","6.0.0a6","6.0.0a8","6.0.0rc1","6.0.0rc2","6.0.0rc3","6.0.0rc4","6.0.0rc5","6.0.1","6.0.1rc1","6.0.2","6.1.0","6.1.0rc1","6.1.0rc2","6.2.0","6.3.0","6.3.0a1","6.3.0rc1","6.3.0rc2","6.4.0","6.4.0rc1","6.4.0rc2","6.5.0","6.5.0rc1","6.5.1","6.6.0","6.6.0rc1","6.6.0rc2","6.7.0rc1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/invokeai/PYSEC-2026-359.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}