Primary

Context

ComfyUI Cross-Site Scripting Vulnerability in Image Upload Component

Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in ComfyUI versions through 0.3.39. This issue arises from an incomplete fix for a previous vulnerability (CVE-2024-10099) in the image upload functionality. The vulnerability allows remote attackers to manipulate the 'image' argument, leading to the execution of malicious JavaScript payloads. The exploitation requires user interaction, such as uploading a file via the image upload feature.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, upload a file with a supported extension that can execute JavaScript, such as .svg or .xhtml, through the image upload feature. The uploaded file can contain a script payload, such as a JavaScript alert, which will be executed, demonstrating the cross-site scripting vulnerability.

Added: Jun 15, 2025, 6:16 PM

Updated: Jun 15, 2025, 6:16 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

7.7

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

7.7

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ComfyUI Cross-Site Scripting Vulnerability in Image Upload Component

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating