ComfyUI Path Traversal Vulnerability in LoadImage Node
Vulnerability
A path traversal vulnerability has been identified in ComfyUI versions through 0.13.0. The issue arises in the LoadImage node, specifically within the folder_paths.get_annotated_filepath function in folder_paths.py. The vulnerability allows remote exploitation by manipulating the 'image' input field with '../' sequences, which are passed to 'os.path.join()' without proper validation. This flaw can be exploited to access arbitrary files on the server.
Impact
Exploitation of this vulnerability allows an unauthenticated attacker to bypass file path restrictions, leading to unauthorized access of files outside the intended directory. This could include sensitive files such as configuration files or SSH keys. Additionally, the vulnerability allows for the exfiltration of image files from the server by chaining node functionalities within the ComfyUI application.
Reproduction
To reproduce this vulnerability, upload a crafted workflow via the 'POST /prompt' API, including a path traversal payload in the 'image' input of the LoadImage node. After the workflow is executed, the response can be checked for successful exploitation. The output can be downloaded through the ComfyUI '/view' endpoint.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.