提出 #791108: comfyanonymous ComfyUI <= 0.13.0 (commit 88e63705) Origin Validation Error (CWE-346)情報

タイトル	comfyanonymous ComfyUI <= 0.13.0 (commit 88e63705) Origin Validation Error (CWE-346)
説明	# Technical Details A CSRF protection bypass chained with Stored XSS exists in `server.py` of ComfyUI. The CSRF middleware `create_origin_only_middleware()` (server.py lines 144-178) checks the Origin header to prevent cross-origin requests. However, it fails to handle `Origin: null` — produced by browsers for sandboxed iframe requests. When `urlparse("null").netloc` is evaluated, it returns an empty string, causing `len(origin_domain) > 0` to be False, which bypasses the check entirely. # Vulnerable Code File: server.py (lines 144-178) Method: create_origin_only_middleware Why: The check `len(origin_domain) > 0` evaluates False for `Origin: null`, completely bypassing the CSRF protection. Combined with the /userdata/ endpoint serving .html files as text/html (app/user_manager.py lines 333-339), an attacker can chain: CSRF upload of evil.html → victim visits the URL → XSS executes in ComfyUI origin. # Reproduction 1. Attacker hosts a malicious page that creates a sandboxed iframe targeting the victim's local ComfyUI (127.0.0.1:8188). 2. The iframe sends a POST to /userdata/evil.html with an XSS payload — browser sends Origin: null, CSRF check is bypassed. 3. Attacker tricks the victim into opening the uploaded URL: http://127.0.0.1:8188/userdata/evil.html 4. JavaScript executes in ComfyUI's origin context with full API access. # Impact - Complete API access: Execute arbitrary AI workflows (POST /prompt), consuming victim's compute. - Data exfiltration: Read system info, generated images, workflow history, and user files. - Persistent backdoor: Upload and overwrite files on the ComfyUI backend. - Equivalent to Remote Code Execution via the browser — no authentication exists in ComfyUI.
ソース	⚠️ https://gist.github.com/YLChen-007/d314f8120e47601dfa3ac8b899f12d1f
ユーザー	Eric-c (UID 96848)
送信	2026年03月27日 13:29 (25 日 ago)
モデレーション	2026年04月19日 11:44 (23 days later)
ステータス	承諾済み
VulDBエントリ	358224 [ComfyUI 迄 0.13.0 server.py create_origin_only_middleware クロスサイトリクエストフォージェリ]
ポイント	20

◂ 前概要次 ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!