Platform
python
Component
comfyui_bmad_nodes
Fixed in
*
CVE-2024-21576 describes a critical code injection vulnerability affecting ComfyUI-Bmad-Nodes, a Python-based extension for ComfyUI. This vulnerability allows attackers to execute arbitrary code on the server by crafting malicious workflow strings. All versions of ComfyUI-Bmad-Nodes are currently affected, and a fix is pending. Users are urged to implement mitigation strategies until an official patch is released.
The impact of this vulnerability is severe. An attacker can inject malicious code into a ComfyUI workflow, which, when executed, will run on the server hosting the ComfyUI instance. This could lead to complete system compromise, including data exfiltration, malware installation, and denial of service. The ability to execute arbitrary code grants the attacker significant control over the affected system. The vulnerability's reliance on workflow manipulation makes it particularly concerning, as malicious workflows could be distributed through seemingly legitimate channels, increasing the attack surface. This is similar to vulnerabilities where user-supplied data is directly evaluated without proper sanitization.
This vulnerability was publicly disclosed on December 13, 2024. Its CRITICAL CVSS score indicates a high probability of exploitation. The ease of exploitation, combined with the potential for significant impact, makes this a high-priority concern. No public proof-of-concept exploits have been widely reported at the time of writing, but the vulnerability's simplicity suggests that such exploits are likely to emerge. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
While a direct patch is pending, several mitigation steps can reduce the risk. First, restrict access to the ComfyUI server to trusted users only. Implement strict input validation and sanitization on all user-supplied data, particularly within the workflow definition. Consider deploying a Web Application Firewall (WAF) with rules to detect and block suspicious workflow patterns or code injection attempts. Monitor system logs for unusual activity, such as unexpected process executions or file modifications. As a temporary measure, disabling the vulnerable custom nodes (BuildColorRangeHSVAdvanced, FilterContour, FindContour) can prevent exploitation, but will impact functionality. After implementing these measures, verify their effectiveness by attempting to load a known malicious workflow in a controlled environment.
Update the ComfyUI-Bmad-Nodes package to the latest available version. This will resolve the code injection vulnerability. Ensure you restart ComfyUI after the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-21576 is a critical code injection vulnerability in ComfyUI-Bmad-Nodes allowing attackers to execute arbitrary code on the server through crafted workflow strings. It affects all versions.
Yes, all versions of ComfyUI-Bmad-Nodes are currently affected by this vulnerability. If you are using this extension, you are at risk.
A direct patch is pending. Implement mitigation strategies such as input validation, WAF rules, and restricting access until a fix is released.
While no widespread exploitation has been confirmed, the vulnerability's simplicity suggests that exploits are likely to emerge. Monitor your systems closely.
Refer to the ComfyUI project's official channels (GitHub repository, website) for updates and advisories regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.