提交 #791114: comfyanonymous ComfyUI <= 0.13.0 (commit 88e63705) Cross-Site Scripting (CWE-79)信息

标题	comfyanonymous ComfyUI <= 0.13.0 (commit 88e63705) Cross-Site Scripting (CWE-79)
描述	# Technical Details A Stored XSS vulnerability exists in the `/view` endpoint in `server.py` of ComfyUI, bypassing the existing XSS fix. The endpoint blocks `text/html`, `text/javascript`, `text/css`, and `application/xhtml+xml`, but does NOT include `image/svg+xml`. SVG supports embedded `<script>` tags per the W3C specification. The `/upload/image` endpoint accepts .svg files without extension validation, writing them to the `input/` directory which is served by `/view`. The existing fix (commits 59d58b11, 4f4f1c64) is therefore incomplete. # Vulnerable Code File: server.py (lines 565-576) Method: /view endpoint MIME type blocklist Why: `image/svg+xml` is missing from the blocklist set `{'text/html', 'text/html-sandboxed', 'application/xhtml+xml', 'text/javascript', 'text/css'}`. SVG served as `image/svg+xml` with inline `<script>` executes JavaScript in the browser. The `Content-Disposition` header lacks the `attachment` directive, so browsers render the file inline. # Reproduction 1. Create a malicious SVG: <svg xmlns="http://www.w3.org/2000/svg"><script>alert('XSS: ' + document.domain)</script></svg> 2. Upload via image upload endpoint: curl -X POST "http://127.0.0.1:8188/upload/image" -F "image=@/tmp/evil.svg;type=image/svg+xml" -F "type=input" -F "overwrite=true" 3. Access in browser: http://127.0.0.1:8188/view?filename=evil.svg&type=input 4. Alert popup confirms XSS — Content-Type: image/svg+xml is not blocked. # Impact - Session data theft: Access localStorage with workflows and user settings. - Arbitrary API calls: Queue malicious workflows or delete data on behalf of the victim. - Social engineering: SVG files appear as harmless image previews, making "share a preview image" attacks highly effective.
来源	⚠️ https://gist.github.com/YLChen-007/1d91fabb465284d7a974746f7e6cc5cc
用户	Eric-c (UID 96848)
提交	2026-03-27 13時34分 (24 日前)
管理	2026-04-19 11時44分 (23 days later)
状态	已接受
VulDB条目	358228 [ComfyUI 直到 0.13.0 View Endpoint server.py 跨网站脚本]
积分	20

◂ 上一步一览下一步 ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!