Comfyanonymous Comfyui Server-Side Request Forgery Vulnerability

A non-blind Server-Side Request Forgery (SSRF) vulnerability has been identified in Comfyanonymous Comfyui version v0.2.4. This vulnerability arises from the improper handling of the 'url' parameter in the 'POST /internal/models/download' API, which can be exploited to access unauthorized web resources using the victim server's credentials.

Impact

Exploitation of this vulnerability allows attackers to use the victim server's credentials to access restricted web resources.

Reproduction

To reproduce this vulnerability, first upload a file named 'secret.safetensors' to the 'checkpoints' directory of the ComfyUI installation. Then, send a POST request to '/internal/models/download' with the URL of the uploaded file, the model directory, and the correct folder path. After successfully downloading the file, send a GET request to '/view' with the subfolder and filename parameters to access the contents of the downloaded file, which will include the data from the original URL.