Submeter #791108: comfyanonymous ComfyUI <= 0.13.0 (commit 88e63705) Origin Validation Error (CWE-346)informação

Títulocomfyanonymous ComfyUI <= 0.13.0 (commit 88e63705) Origin Validation Error (CWE-346)
Descrição# Technical Details A CSRF protection bypass chained with Stored XSS exists in `server.py` of ComfyUI. The CSRF middleware `create_origin_only_middleware()` (server.py lines 144-178) checks the Origin header to prevent cross-origin requests. However, it fails to handle `Origin: null` — produced by browsers for sandboxed iframe requests. When `urlparse("null").netloc` is evaluated, it returns an empty string, causing `len(origin_domain) > 0` to be False, which bypasses the check entirely. # Vulnerable Code File: server.py (lines 144-178) Method: create_origin_only_middleware Why: The check `len(origin_domain) > 0` evaluates False for `Origin: null`, completely bypassing the CSRF protection. Combined with the /userdata/ endpoint serving .html files as text/html (app/user_manager.py lines 333-339), an attacker can chain: CSRF upload of evil.html → victim visits the URL → XSS executes in ComfyUI origin. # Reproduction 1. Attacker hosts a malicious page that creates a sandboxed iframe targeting the victim's local ComfyUI (127.0.0.1:8188). 2. The iframe sends a POST to /userdata/evil.html with an XSS payload — browser sends Origin: null, CSRF check is bypassed. 3. Attacker tricks the victim into opening the uploaded URL: http://127.0.0.1:8188/userdata/evil.html 4. JavaScript executes in ComfyUI's origin context with full API access. # Impact - Complete API access: Execute arbitrary AI workflows (POST /prompt), consuming victim's compute. - Data exfiltration: Read system info, generated images, workflow history, and user files. - Persistent backdoor: Upload and overwrite files on the ComfyUI backend. - Equivalent to Remote Code Execution via the browser — no authentication exists in ComfyUI.
Fonte⚠️ https://gist.github.com/YLChen-007/d314f8120e47601dfa3ac8b899f12d1f
Utilizador
 Eric-c (UID 96848)
Submissão27/03/2026 13h29 (há 25 dias)
Moderação19/04/2026 11h44 (23 days later)
EstadoAceite
Entrada VulDB358224 [ComfyUI até 0.13.0 server.py create_origin_only_middleware Falsificação de Pedido entre Sites]
Pontos20

VoltarVisão GeralPróximo

Want to stay up to date on a daily basis?

Enable the mail alert feature now!