Home » Database

AVID-2026-R1471

Description

Kohya_ss is vulnerable to a command injection in group_images_gui.py (GHSL-2024-021) (CVE-2024-32025)

Details

Kohya_ss is a GUI for Kohya’s Stable Diffusion trainers. Kohya_ss is vulnerable to a command injection in group_images_gui.py. This vulnerability is fixed in 23.1.5.

Reason for inclusion in AVID: CVE-2024-32025 describes a command injection vulnerability in kohya_ss’s group_images_gui.py, a GUI utility used in Stable Diffusion training workflows. This is a software vulnerability within a component commonly used to build/train AI systems, representing a software supply chain issue in AI pipelines. The CVE details and references indicate potential remote exploitation with high impact, satisfying the security/safety criterion. Sufficient evidence is provided by the CVE entry and advisories.

References

Affected or Relevant Artifacts

  • Developer: bmaltais
  • Deployer: bmaltais
  • Artifact Details:
TypeName
Systemkohya_ss

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.1
Vector StringCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score9.1
Base Severity🔴 Critical
Attack VectorNETWORK
Attack Complexity🟢 Low
Privileges RequiredNONE
User InteractionNONE
ScopeUNCHANGED
Confidentiality Impact🔴 High
Integrity Impact🔴 High
Availability ImpactNONE

CWE

IDDescription
CWE-77CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2024-04-16
  • Version: 0.3.3
  • AVID Entry