skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
April 12, 2024

GHSL-2024-010: Limited file write in Stable-diffusion-webui - CVE-2024-31462

Sylwia Budzynska

Coordinated Disclosure Timeline


Stable-diffusion-webui 1.7.0 is vulnerable to a limited file write affecting Windows systems.



Tested Version



Limited file write in modules/ (GHSL-2024-010)

The create_ui method (Backup/Restore tab) in modules/ takes user input into the config_save_name variable on line 653. This user input is later used in the save_config_state method and used to create a file path on line 65, which is afterwards opened for writing on line 67, which leads to a limited file write exploitable on Windows systems.

def save_config_state(name):
    current_config_state = config_states.get_config()
    if not name:
        name = "Config"
    current_config_state["name"] = name
    timestamp ='%Y_%m_%d-%H_%M_%S')
    filename = os.path.join(config_states_dir, f"{timestamp}_{name}.json")
    print(f"Saving backup of webui/extension state to {filename}.")
    with open(filename, "w", encoding="utf-8") as f:
        json.dump(current_config_state, f, indent=4, ensure_ascii=False)

This issue was found with the help of CodeQL.


This issue may lead to limited file write. It allows for writing json files anywhere on the server.



This issue was discovered and reported by GHSL team member @sylwia-budzynska (Sylwia Budzynska). The vulnerability was found with the help of CodeQL’s path injection query and additional modeling.


You can contact the GHSL team at, please include a reference to GHSL-2024-010 in any communication regarding this issue.