Plattform
python
Komponente
comfyui_bmad_nodes
Behoben in
*
CVE-2024-21576 describes a critical code injection vulnerability affecting ComfyUI-Bmad-Nodes, a Python-based extension for ComfyUI. This vulnerability allows attackers to execute arbitrary code on the server by crafting malicious workflow strings. All versions of ComfyUI-Bmad-Nodes are currently affected, and a fix is pending. Users are urged to implement mitigation strategies until an official patch is released.
The impact of this vulnerability is severe. An attacker can inject malicious code into a ComfyUI workflow, which, when executed, will run on the server hosting the ComfyUI instance. This could lead to complete system compromise, including data exfiltration, malware installation, and denial of service. The ability to execute arbitrary code grants the attacker significant control over the affected system. The vulnerability's reliance on workflow manipulation makes it particularly concerning, as malicious workflows could be distributed through seemingly legitimate channels, increasing the attack surface. This is similar to vulnerabilities where user-supplied data is directly evaluated without proper sanitization.
This vulnerability was publicly disclosed on December 13, 2024. Its CRITICAL CVSS score indicates a high probability of exploitation. The ease of exploitation, combined with the potential for significant impact, makes this a high-priority concern. No public proof-of-concept exploits have been widely reported at the time of writing, but the vulnerability's simplicity suggests that such exploits are likely to emerge. It is not currently listed on CISA KEV.
Users who have deployed ComfyUI-Bmad-Nodes in production environments, particularly those with public-facing instances or those allowing untrusted users to upload or modify workflows, are at significant risk. Shared hosting environments where multiple users share the same ComfyUI instance are also particularly vulnerable.
• python / server:
import os
import subprocess
def check_comfyui_nodes():
try:
# Check for the vulnerable nodes
subprocess.run(['python', '-c', 'import comfyui_mad_nodes; print(comfyui_mad_nodes.__version__)'], check=True, capture_output=True)
print('Vulnerable ComfyUI-Bmad-Nodes detected.')
except FileNotFoundError:
print('ComfyUI-Bmad-Nodes not found.')
except subprocess.CalledProcessError as e:
print(f'Error checking version: {e}')
check_comfyui_nodes()• generic web:
curl -I http://your-comfyui-server/ | grep -i 'eval'• generic web:
grep -r 'eval' /path/to/comfyui/nodes/disclosure
Exploit-Status
EPSS
0.04% (12% Perzentil)
CISA SSVC
CVSS-Vektor
While a direct patch is pending, several mitigation steps can reduce the risk. First, restrict access to the ComfyUI server to trusted users only. Implement strict input validation and sanitization on all user-supplied data, particularly within the workflow definition. Consider deploying a Web Application Firewall (WAF) with rules to detect and block suspicious workflow patterns or code injection attempts. Monitor system logs for unusual activity, such as unexpected process executions or file modifications. As a temporary measure, disabling the vulnerable custom nodes (BuildColorRangeHSVAdvanced, FilterContour, FindContour) can prevent exploitation, but will impact functionality. After implementing these measures, verify their effectiveness by attempting to load a known malicious workflow in a controlled environment.
Aktualisieren Sie das Paket ComfyUI-Bmad-Nodes auf die neueste verfügbare Version. Dies behebt die Code-Injection-Schwachstelle. Stellen Sie sicher, dass Sie ComfyUI nach der Aktualisierung neu starten.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-21576 is a critical code injection vulnerability in ComfyUI-Bmad-Nodes allowing attackers to execute arbitrary code on the server through crafted workflow strings. It affects all versions.
Yes, all versions of ComfyUI-Bmad-Nodes are currently affected by this vulnerability. If you are using this extension, you are at risk.
A direct patch is pending. Implement mitigation strategies such as input validation, WAF rules, and restricting access until a fix is released.
While no widespread exploitation has been confirmed, the vulnerability's simplicity suggests that exploits are likely to emerge. Monitor your systems closely.
Refer to the ComfyUI project's official channels (GitHub repository, website) for updates and advisories regarding this vulnerability.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.