Submit #791108: comfyanonymous ComfyUI <= 0.13.0 (commit 88e63705) Origin Validation Error (CWE-346)info

Titelcomfyanonymous ComfyUI <= 0.13.0 (commit 88e63705) Origin Validation Error (CWE-346)
Beschreibung# Technical Details A CSRF protection bypass chained with Stored XSS exists in `server.py` of ComfyUI. The CSRF middleware `create_origin_only_middleware()` (server.py lines 144-178) checks the Origin header to prevent cross-origin requests. However, it fails to handle `Origin: null` — produced by browsers for sandboxed iframe requests. When `urlparse("null").netloc` is evaluated, it returns an empty string, causing `len(origin_domain) > 0` to be False, which bypasses the check entirely. # Vulnerable Code File: server.py (lines 144-178) Method: create_origin_only_middleware Why: The check `len(origin_domain) > 0` evaluates False for `Origin: null`, completely bypassing the CSRF protection. Combined with the /userdata/ endpoint serving .html files as text/html (app/user_manager.py lines 333-339), an attacker can chain: CSRF upload of evil.html → victim visits the URL → XSS executes in ComfyUI origin. # Reproduction 1. Attacker hosts a malicious page that creates a sandboxed iframe targeting the victim's local ComfyUI (127.0.0.1:8188). 2. The iframe sends a POST to /userdata/evil.html with an XSS payload — browser sends Origin: null, CSRF check is bypassed. 3. Attacker tricks the victim into opening the uploaded URL: http://127.0.0.1:8188/userdata/evil.html 4. JavaScript executes in ComfyUI's origin context with full API access. # Impact - Complete API access: Execute arbitrary AI workflows (POST /prompt), consuming victim's compute. - Data exfiltration: Read system info, generated images, workflow history, and user files. - Persistent backdoor: Upload and overwrite files on the ComfyUI backend. - Equivalent to Remote Code Execution via the browser — no authentication exists in ComfyUI.
Quelle⚠️ https://gist.github.com/YLChen-007/d314f8120e47601dfa3ac8b899f12d1f
Benutzer
 Eric-c (UID 96848)
Einreichung27.03.2026 13:29 (vor 25 Tagen)
Moderieren19.04.2026 11:44 (23 days later)
StatusAkzeptiert
VulDB Eintrag358224 [ComfyUI bis 0.13.0 server.py create_origin_only_middleware Cross Site Request Forgery]
Punkte20

ZurückÜbersichtWeiter

Do you know our Splunk app?

Download it now for free!