ComfyUI Cross-Site Request Forgery Vulnerability

Vulnerability

A cross-site request forgery (CSRF) vulnerability affects ComfyUI versions prior to 0.2.2. This issue allows attackers to create malicious websites that, when accessed by authenticated ComfyUI users, can execute arbitrary API requests on their behalf. Exploitation could involve uploading arbitrary files through the '/upload/image' endpoint. The absence of CSRF protections on several API endpoints, including '/upload/image', '/prompt', and '/history', exposes users to unauthorized actions. This vulnerability could potentially be exploited in conjunction with other issues, such as stored cross-site scripting, to further compromise user sessions.

Impact

Exploitation of this vulnerability could lead to unauthorized actions being performed on behalf of the user, such as uploading arbitrary files to the application.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.0

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.0

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ComfyUI Cross-Site Request Forgery Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating