Plattform
python
Komponente
comfyanonymous/comfyui
Behoben in
0.3.41
CVE-2025-6107 is a vulnerability affecting ComfyUI versions 0.3.40 through 0.3.40. This issue involves the manipulation of dynamically-determined object attributes within the set_attr function located in /comfy/utils.py. A remote attacker could potentially exploit this flaw. A fix is available in version 0.3.41.
The vulnerability lies in the set_attr function, which allows for the dynamic setting of object attributes. An attacker could leverage this to modify the behavior of ComfyUI, potentially leading to arbitrary code execution or denial of service. While the complexity of the attack is considered high, the public disclosure of the exploit increases the risk of exploitation. The ability to launch the attack remotely expands the potential attack surface, making systems running vulnerable versions of ComfyUI susceptible to compromise.
This vulnerability was publicly disclosed on 2025-06-16. The vendor, comfyanonymous, was contacted but did not respond. The exploit's public availability and relatively high complexity suggest a moderate risk of exploitation. No KEV listing or EPSS score is currently available. The description indicates the exploit has been disclosed, increasing the likelihood of exploitation.
Users running ComfyUI version 0.3.40 are at direct risk. This includes individuals and organizations utilizing ComfyUI for AI image generation and experimentation. Shared hosting environments where ComfyUI is deployed could also be affected, potentially impacting multiple users.
• python / ComfyUI:
import os
import subprocess
# Check ComfyUI version
process = subprocess.Popen(['comfyui', '--version'], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
stdout, stderr = process.communicate()
version = stdout.decode('utf-8').strip()
if version == '0.3.40':
print('Vulnerable ComfyUI version detected!')
else:
print('ComfyUI version is not vulnerable.')• python / ComfyUI: Monitor file system for modifications to /comfy/utils.py
import os
import time
file_path = '/comfy/utils.py'
while True:
try:
last_modified = os.path.getmtime(file_path)
time.sleep(60) # Check every minute
current_modified = os.path.getmtime(file_path)
if current_modified != last_modified:
print(f'File {file_path} has been modified!')
break
except FileNotFoundError:
print(f'File {file_path} not found.')
breakdisclosure
patch
Exploit-Status
EPSS
0.07% (21% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade ComfyUI to version 0.3.41 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing input validation on the attributes being set within the setattr function to restrict the values that can be assigned. While a direct WAF rule is unlikely, monitoring network traffic for unusual requests targeting /comfy/utils.py could provide early warning signs of exploitation attempts. After upgrading, confirm the fix by attempting to trigger the vulnerable setattr function with malicious input and verifying that it is properly handled.
Aktualisieren Sie auf eine gepatchte Version von comfyui, die die Vulnerability der Manipulation von dynamisch-bestimmten Objektattributen behebt. Wenn keine Version verfügbar ist, sollten Sie in Erwägung ziehen, manuell einen Patch für die Datei /comfy/utils.py anzuwenden oder die betroffene Funktionalität zu deaktivieren, bis ein Update veröffentlicht wird.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-6107 is a vulnerability in ComfyUI versions 0.3.40–0.3.40 that allows attackers to manipulate object attributes, potentially leading to code execution or denial of service.
You are affected if you are running ComfyUI version 0.3.40. Upgrade to version 0.3.41 to mitigate the risk.
Upgrade ComfyUI to version 0.3.41 or later. If immediate upgrade is not possible, implement input validation on attribute settings.
The exploit has been publicly disclosed, increasing the likelihood of exploitation. Monitor your systems for suspicious activity.
Refer to the comfyanonymous GitHub repository for updates and advisories related to CVE-2025-6107.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.