提出 #791114: comfyanonymous ComfyUI <= 0.13.0 (commit 88e63705) Cross-Site Scripting (CWE-79)情報

タイトル	comfyanonymous ComfyUI <= 0.13.0 (commit 88e63705) Cross-Site Scripting (CWE-79)
説明	# Technical Details A Stored XSS vulnerability exists in the `/view` endpoint in `server.py` of ComfyUI, bypassing the existing XSS fix. The endpoint blocks `text/html`, `text/javascript`, `text/css`, and `application/xhtml+xml`, but does NOT include `image/svg+xml`. SVG supports embedded `<script>` tags per the W3C specification. The `/upload/image` endpoint accepts .svg files without extension validation, writing them to the `input/` directory which is served by `/view`. The existing fix (commits 59d58b11, 4f4f1c64) is therefore incomplete. # Vulnerable Code File: server.py (lines 565-576) Method: /view endpoint MIME type blocklist Why: `image/svg+xml` is missing from the blocklist set `{'text/html', 'text/html-sandboxed', 'application/xhtml+xml', 'text/javascript', 'text/css'}`. SVG served as `image/svg+xml` with inline `<script>` executes JavaScript in the browser. The `Content-Disposition` header lacks the `attachment` directive, so browsers render the file inline. # Reproduction 1. Create a malicious SVG: <svg xmlns="http://www.w3.org/2000/svg"><script>alert('XSS: ' + document.domain)</script></svg> 2. Upload via image upload endpoint: curl -X POST "http://127.0.0.1:8188/upload/image" -F "image=@/tmp/evil.svg;type=image/svg+xml" -F "type=input" -F "overwrite=true" 3. Access in browser: http://127.0.0.1:8188/view?filename=evil.svg&type=input 4. Alert popup confirms XSS — Content-Type: image/svg+xml is not blocked. # Impact - Session data theft: Access localStorage with workflows and user settings. - Arbitrary API calls: Queue malicious workflows or delete data on behalf of the victim. - Social engineering: SVG files appear as harmless image previews, making "share a preview image" attacks highly effective.
ソース	⚠️ https://gist.github.com/YLChen-007/1d91fabb465284d7a974746f7e6cc5cc
ユーザー	Eric-c (UID 96848)
送信	2026年03月27日 13:34 (24 日 ago)
モデレーション	2026年04月19日 11:44 (23 days later)
ステータス	承諾済み
VulDBエントリ	358228 [ComfyUI 迄 0.13.0 View Endpoint server.py クロスサイトスクリプティング]
ポイント	20

◂ 前概要次 ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!