Checklist
What happened?
Security Vulnerability: Dead Repository URL Creates Credential Harvesting Vector
The installation pipeline in modules/launch_utils.py (stable branch v1.10.1) contains a critical security flaw. The hardcoded URL https://github.com/Stability-AI/stablediffusion.git (line 349) points to a repository deleted by Stability AI in December 2025.
When a new user runs webui.bat, Git attempts to clone this dead URL, receives a 404, and prompts the user for GitHub credentials — first via GUI dialog, then via CLI fallback. No credentials will succeed. The repository does not exist.
Why this is a security issue, not just a bug:
1. Credential Prompt on Dead Target (Critical — Line 349, 412)
Git cannot distinguish "repo deleted" from "repo is private" — GitHub returns the same 404. This triggers an authentication dialog that trains users to enter credentials when prompted by automated scripts.
2. All URLs Overridable Without Validation (High — Lines 345-358)
Every dependency URL is overridable via environment variables (STABLE_DIFFUSION_REPO, CLIP_PACKAGE, K_DIFFUSION_REPO, etc.). Zero validation — no allowlist, no hash verification, no warning. A forum "fix" like set STABLE_DIFFUSION_REPO=https://github.com/<attacker>/fix.git redirects the clone to an attacker-controlled repo without any check.
3. Unimplemented Integrity Check (High — Line 171)
The git_clone function contains a TODO acknowledging the need for validation:
def git_clone(url, dir, name, commithash=None):
# TODO clone into temporary dir and move if successfulNever implemented. Cloned content lands directly in the execution path. Partial clones persist and are treated as valid on subsequent launches.
4. shell=True Execution (Medium — Line 95)
The run() function executes all commands with shell=True, including git clone and pip install. Combined with overridable URLs, crafted URLs with shell metacharacters could achieve command injection.
5. No Error Handling (Medium — Lines 411-415)
Five sequential git_clone calls with no try/except. Failure produces a raw traceback with no user guidance and no cleanup.
Combined Attack Chain:
- Dead URL causes failure + credential prompt
- User searches for fix online
- Attacker publishes "solution" setting environment variables
- Next launch clones from attacker repo without validation
- Malicious content executes via
shell=True
Timeline:
Related issues: #17204, #17205, #17213, #17227, #17309
Steps to reproduce the problem
- Download stable-diffusion-webui (stable branch, v1.10.1)
- Run
webui.bat on a fresh installation (no prior repositories/ folder)
- Observe: Git attempts to clone
https://github.com/Stability-AI/stablediffusion.git
- Observe: Git Credential Manager opens a GUI authentication dialog
- Cancel or enter any credentials — clone fails regardless
- Observe: Raw Python traceback, installation aborts
- No error message explaining the cause, no suggested action, no cleanup
To verify the environment variable override risk:
set STABLE_DIFFUSION_REPO=https://github.com/any-user/any-repo.git
webui.bat
The code will clone from the overridden URL without any warning or validation.
What should have happened?
- The dead URL should be replaced with a verified fork (as already done on the dev branch) or the dependency should be bundled
GIT_TERMINAL_PROMPT=0 should be set to suppress credential dialogs in automated installs- Environment variable URL overrides should trigger a visible warning and validate against an allowlist
git_clone should clone into a temporary directory, verify the commit hash, then move to the final location (as the existing TODO comment suggests)shell=True should be replaced with shell=False and argument lists- Each
git_clone call should be wrapped in individual error handling with user-readable messages
- A clear error message should be shown when a repository is unreachable — not a credential prompt
What browsers do you use to access the UI ?
No response
Sysinfo
Security vulnerability report — WebUI cannot start due to the dead repository URL, so no sysinfo can be generated. This affects all new installations of stable branch v1.10.1. See #17204, #17205, #17213, #17227, #17309 for additional confirmations across different systems.
Console logs
Cloning Stable Diffusion into C:\...\repositories\stable-diffusion-stability-ai...
Cloning into 'C:\...\repositories\stable-diffusion-stability-ai'...
remote: Repository not found.
fatal: repository 'https://github.com/Stability-AI/stablediffusion.git/' not found
Traceback (most recent call last):
File "...\launch.py", line 48, in <module>
main()
File "...\launch.py", line 39, in main
prepare_environment()
File "...\modules\launch_utils.py", line 412, in prepare_environment
git_clone(stable_diffusion_repo, repo_dir('stable-diffusion-stability-ai'), "Stable Diffusion", stable_diffusion_commit_hash)
File "...\modules\launch_utils.py", line 192, in git_clone
run(f'"{git}" clone --config core.filemode=false "{url}" "{dir}"', ...)
File "...\modules\launch_utils.py", line 116, in run
raise RuntimeError("\n".join(error_bits))
RuntimeError: Couldn't clone Stable Diffusion.
Command: "git" clone --config core.filemode=false "https://github.com/Stability-AI/stablediffusion.git" "...\repositories\stable-diffusion-stability-ai"
Error code: 128Additional information
This is a security-focused report, not a standard bug report. The dead URL has been reported multiple times as a functional bug (#17204, #17205, #17213, #17227, #17309), but the security implications — credential harvesting via Git auth prompts, supply chain attack surface via unvalidated environment variable overrides, shell=True command injection risk, and missing integrity checks — have not been addressed.
The dev branch partially fixes the dead URL by switching to a fork, but the architectural issues (no URL validation, no integrity checks, shell=True, no error handling) remain unresolved on both branches.
A detailed SECURITY.md with all findings, code references (lines 89-118, 171-188, 345-358, 411-415), and recommendations is available on request.
Checklist
What happened?
Security Vulnerability: Dead Repository URL Creates Credential Harvesting Vector
The installation pipeline in
modules/launch_utils.py(stable branch v1.10.1) contains a critical security flaw. The hardcoded URLhttps://github.com/Stability-AI/stablediffusion.git(line 349) points to a repository deleted by Stability AI in December 2025.When a new user runs
webui.bat, Git attempts to clone this dead URL, receives a 404, and prompts the user for GitHub credentials — first via GUI dialog, then via CLI fallback. No credentials will succeed. The repository does not exist.Why this is a security issue, not just a bug:
1. Credential Prompt on Dead Target (Critical — Line 349, 412)
Git cannot distinguish "repo deleted" from "repo is private" — GitHub returns the same 404. This triggers an authentication dialog that trains users to enter credentials when prompted by automated scripts.
2. All URLs Overridable Without Validation (High — Lines 345-358)
Every dependency URL is overridable via environment variables (
STABLE_DIFFUSION_REPO,CLIP_PACKAGE,K_DIFFUSION_REPO, etc.). Zero validation — no allowlist, no hash verification, no warning. A forum "fix" likeset STABLE_DIFFUSION_REPO=https://github.com/<attacker>/fix.gitredirects the clone to an attacker-controlled repo without any check.3. Unimplemented Integrity Check (High — Line 171)
The
git_clonefunction contains a TODO acknowledging the need for validation:Never implemented. Cloned content lands directly in the execution path. Partial clones persist and are treated as valid on subsequent launches.
4.
shell=TrueExecution (Medium — Line 95)The
run()function executes all commands withshell=True, includinggit cloneandpip install. Combined with overridable URLs, crafted URLs with shell metacharacters could achieve command injection.5. No Error Handling (Medium — Lines 411-415)
Five sequential
git_clonecalls with no try/except. Failure produces a raw traceback with no user guidance and no cleanup.Combined Attack Chain:
shell=TrueTimeline:
Related issues: #17204, #17205, #17213, #17227, #17309
Steps to reproduce the problem
webui.baton a fresh installation (no priorrepositories/folder)https://github.com/Stability-AI/stablediffusion.gitTo verify the environment variable override risk:
The code will clone from the overridden URL without any warning or validation.
What should have happened?
GIT_TERMINAL_PROMPT=0should be set to suppress credential dialogs in automated installsgit_cloneshould clone into a temporary directory, verify the commit hash, then move to the final location (as the existing TODO comment suggests)shell=Trueshould be replaced withshell=Falseand argument listsgit_clonecall should be wrapped in individual error handling with user-readable messagesWhat browsers do you use to access the UI ?
No response
Sysinfo
Security vulnerability report — WebUI cannot start due to the dead repository URL, so no sysinfo can be generated. This affects all new installations of stable branch v1.10.1. See #17204, #17205, #17213, #17227, #17309 for additional confirmations across different systems.
Console logs
Additional information
This is a security-focused report, not a standard bug report. The dead URL has been reported multiple times as a functional bug (#17204, #17205, #17213, #17227, #17309), but the security implications — credential harvesting via Git auth prompts, supply chain attack surface via unvalidated environment variable overrides,
shell=Truecommand injection risk, and missing integrity checks — have not been addressed.The dev branch partially fixes the dead URL by switching to a fork, but the architectural issues (no URL validation, no integrity checks,
shell=True, no error handling) remain unresolved on both branches.A detailed SECURITY.md with all findings, code references (lines 89-118, 171-188, 345-358, 411-415), and recommendations is available on request.