| Название | comfyanonymous ComfyUI <= 0.13.0 (commit 88e63705) Cross-Site Scripting (CWE-79) |
|---|
| Описание | # Technical Details
A Stored Cross-Site Scripting (XSS) vulnerability exists in the `getuserdata` handler in `app/user_manager.py` of ComfyUI.
The `/userdata/{file}` endpoint serves files via `web.FileResponse(path)`, which automatically sets Content-Type based on file extension via `mimetypes.guess_type()`. .html files are served as `text/html` and .svg files as `image/svg+xml` — both allow JavaScript execution. The `/view` endpoint was previously patched with a MIME type blocklist (commits 59d58b11, 4f4f1c64), but this fix was never applied to /userdata.
# Vulnerable Code
File: app/user_manager.py (lines 333-339)
Method: getuserdata
Why: `return web.FileResponse(path)` sets Content-Type: text/html for .html files with no sanitization. The post_userdata handler (lines 341-395) accepts arbitrary content and writes it directly to disk, so any attacker with POST access can store an XSS payload.
# Reproduction
1. Upload a malicious HTML file:
curl -X POST "http://127.0.0.1:8188/userdata/test_xss.html" -d '<html><body><script>alert(document.domain)</script></body></html>'
2. Visit in browser: http://127.0.0.1:8188/userdata/test_xss.html
3. JavaScript executes — alert() shows 127.0.0.1.
# Impact
- Session data theft: Read localStorage containing workflows, settings (Comfy.PreviousWorkflow, Comfy.Workflow.Drafts).
- Arbitrary API calls: Queue malicious workflows, modify settings, upload/delete files as the victim.
- Data exfiltration: Send stolen data to an external server.
|
|---|
| Источник | ⚠️ https://gist.github.com/YLChen-007/50f0cdc5e3f7b737ce99c783e487ca0d |
|---|
| Пользователь | Eric-c (UID 96848) |
|---|
| Представление | 27.03.2026 13:32 (24 дни назад) |
|---|
| Модерация | 19.04.2026 11:44 (23 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 358227 [ComfyUI до 0.13.0 userdata Endpoint app/user_manager.py getuserdata межсайтовый скриптинг] |
|---|
| Баллы | 20 |
|---|