Platform
python
Component
comfyanonymous/comfyui
CVE-2024-12882 describes a Server-Side Request Forgery (SSRF) vulnerability found in ComfyUI, a Python-based UI for Stable Diffusion. This flaw allows attackers to leverage the ComfyUI server to make requests to internal or external resources, potentially exposing sensitive data or performing unauthorized actions. The vulnerability impacts versions up to the latest release and can be mitigated by upgrading to a patched version. The vulnerability was publicly disclosed on March 20, 2025.
The SSRF vulnerability in ComfyUI allows an attacker to craft malicious requests through the /internal/models/download and /view endpoints. By manipulating these requests, an attacker can force the ComfyUI server to make requests to arbitrary URLs, effectively using the server as a proxy. This can lead to the exposure of internal network resources, access to sensitive data stored on those resources, and potentially even the execution of arbitrary code on systems accessible from the ComfyUI server. The blast radius extends to any internal network segment accessible by the ComfyUI server, making it a significant security risk.
The vulnerability is publicly known and documented. While no active exploitation campaigns have been confirmed as of March 20, 2025, the ease of exploitation and the potential impact make it a likely target for attackers. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is expected to emerge shortly following public disclosure.
Exploit Status
EPSS
0.13% (32% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-12882 is to upgrade ComfyUI to a patched version as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. These may include restricting network access to the ComfyUI server, implementing strict firewall rules to limit outbound connections, and carefully reviewing and validating all user inputs to prevent malicious URL manipulation. Monitoring network traffic for unusual outbound requests originating from the ComfyUI server can also help detect potential exploitation attempts. After upgrade, confirm by attempting a request to an internal resource and verifying that it is properly blocked or handled according to your security policies.
Update to a version later than 0.2.4 of ComfyUI. This will resolve the SSRF vulnerability. See the release notes for more details about the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-12882 is a Server-Side Request Forgery vulnerability in ComfyUI versions up to the latest, allowing attackers to make requests through the server to access unauthorized resources.
If you are running ComfyUI version ≤latest, you are potentially affected by this SSRF vulnerability. Assess your network configuration and implement mitigations.
Upgrade ComfyUI to the patched version as soon as it's released. Until then, implement temporary workarounds like restricting network access and validating user inputs.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation makes it a likely target. Monitor your systems for suspicious activity.
Refer to the Comfyanonymous/comfyui GitHub repository and related security announcements for the official advisory and patch information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.