| Title | comfyanonymous ComfyUI <= 0.13.0 (commit 88e63705) Cross-Site Scripting (CWE-79) |
|---|
| Description | # Technical Details
A Stored Cross-Site Scripting (XSS) vulnerability exists in the `getuserdata` handler in `app/user_manager.py` of ComfyUI.
The `/userdata/{file}` endpoint serves files via `web.FileResponse(path)`, which automatically sets Content-Type based on file extension via `mimetypes.guess_type()`. .html files are served as `text/html` and .svg files as `image/svg+xml` — both allow JavaScript execution. The `/view` endpoint was previously patched with a MIME type blocklist (commits 59d58b11, 4f4f1c64), but this fix was never applied to /userdata.
# Vulnerable Code
File: app/user_manager.py (lines 333-339)
Method: getuserdata
Why: `return web.FileResponse(path)` sets Content-Type: text/html for .html files with no sanitization. The post_userdata handler (lines 341-395) accepts arbitrary content and writes it directly to disk, so any attacker with POST access can store an XSS payload.
# Reproduction
1. Upload a malicious HTML file:
curl -X POST "http://127.0.0.1:8188/userdata/test_xss.html" -d '<html><body><script>alert(document.domain)</script></body></html>'
2. Visit in browser: http://127.0.0.1:8188/userdata/test_xss.html
3. JavaScript executes — alert() shows 127.0.0.1.
# Impact
- Session data theft: Read localStorage containing workflows, settings (Comfy.PreviousWorkflow, Comfy.Workflow.Drafts).
- Arbitrary API calls: Queue malicious workflows, modify settings, upload/delete files as the victim.
- Data exfiltration: Send stolen data to an external server.
|
|---|
| Source | ⚠️ https://gist.github.com/YLChen-007/50f0cdc5e3f7b737ce99c783e487ca0d |
|---|
| User | Eric-c (UID 96848) |
|---|
| Submission | 03/27/2026 13:32 (25 days ago) |
|---|
| Moderation | 04/19/2026 11:44 (23 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 358227 [ComfyUI up to 0.13.0 userdata Endpoint app/user_manager.py getuserdata cross site scripting] |
|---|
| Points | 20 |
|---|