| タイトル | comfyanonymous ComfyUI <= 0.13.0 (commit 88e63705) Cross-Site Scripting (CWE-79) |
|---|
| 説明 | # Technical Details
A Stored Cross-Site Scripting (XSS) vulnerability exists in the `getuserdata` handler in `app/user_manager.py` of ComfyUI.
The `/userdata/{file}` endpoint serves files via `web.FileResponse(path)`, which automatically sets Content-Type based on file extension via `mimetypes.guess_type()`. .html files are served as `text/html` and .svg files as `image/svg+xml` — both allow JavaScript execution. The `/view` endpoint was previously patched with a MIME type blocklist (commits 59d58b11, 4f4f1c64), but this fix was never applied to /userdata.
# Vulnerable Code
File: app/user_manager.py (lines 333-339)
Method: getuserdata
Why: `return web.FileResponse(path)` sets Content-Type: text/html for .html files with no sanitization. The post_userdata handler (lines 341-395) accepts arbitrary content and writes it directly to disk, so any attacker with POST access can store an XSS payload.
# Reproduction
1. Upload a malicious HTML file:
curl -X POST "http://127.0.0.1:8188/userdata/test_xss.html" -d '<html><body><script>alert(document.domain)</script></body></html>'
2. Visit in browser: http://127.0.0.1:8188/userdata/test_xss.html
3. JavaScript executes — alert() shows 127.0.0.1.
# Impact
- Session data theft: Read localStorage containing workflows, settings (Comfy.PreviousWorkflow, Comfy.Workflow.Drafts).
- Arbitrary API calls: Queue malicious workflows, modify settings, upload/delete files as the victim.
- Data exfiltration: Send stolen data to an external server.
|
|---|
| ソース | ⚠️ https://gist.github.com/YLChen-007/50f0cdc5e3f7b737ce99c783e487ca0d |
|---|
| ユーザー | Eric-c (UID 96848) |
|---|
| 送信 | 2026年03月27日 13:32 (24 日 ago) |
|---|
| モデレーション | 2026年04月19日 11:44 (23 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 358227 [ComfyUI 迄 0.13.0 userdata Endpoint app/user_manager.py getuserdata クロスサイトスクリプティング] |
|---|
| ポイント | 20 |
|---|