ComfyUI Cross-Site Request Forgery Vulnerability in Origin Validation Middleware

A cross-site request forgery (CSRF) vulnerability has been identified in ComfyUI versions through 0.13.0. The issue arises in the 'create_origin_only_middleware' function within 'server.py', where the middleware fails to properly validate the 'Origin' header. This flaw allows remote attackers to bypass CSRF protections and exploit the vulnerability. The lack of authentication in ComfyUI further exacerbates the issue, as it leaves the application open to unauthorized access via the victim's browser.

Impact

Exploitation of this vulnerability allows for cross-site request forgery, where an attacker can manipulate the victim's ComfyUI session. This includes executing workflows, accessing and exfiltrating data, uploading files, and potentially causing a denial-of-service.

Reproduction

To reproduce this vulnerability, upload a file containing a cross-site scripting (XSS) payload to the '/userdata/' endpoint, which serves files with the 'text/html' content type. Then, redirect the victim to the uploaded file, which will execute the JavaScript in the context of ComfyUI.