Plateforme
python
Composant
comfyanonymous/comfyui
Corrigé dans
0.3.41
CVE-2025-6107 is a vulnerability affecting ComfyUI versions 0.3.40 through 0.3.40. This issue involves the manipulation of dynamically-determined object attributes within the set_attr function located in /comfy/utils.py. A remote attacker could potentially exploit this flaw. A fix is available in version 0.3.41.
The vulnerability lies in the set_attr function, which allows for the dynamic setting of object attributes. An attacker could leverage this to modify the behavior of ComfyUI, potentially leading to arbitrary code execution or denial of service. While the complexity of the attack is considered high, the public disclosure of the exploit increases the risk of exploitation. The ability to launch the attack remotely expands the potential attack surface, making systems running vulnerable versions of ComfyUI susceptible to compromise.
This vulnerability was publicly disclosed on 2025-06-16. The vendor, comfyanonymous, was contacted but did not respond. The exploit's public availability and relatively high complexity suggest a moderate risk of exploitation. No KEV listing or EPSS score is currently available. The description indicates the exploit has been disclosed, increasing the likelihood of exploitation.
Users running ComfyUI version 0.3.40 are at direct risk. This includes individuals and organizations utilizing ComfyUI for AI image generation and experimentation. Shared hosting environments where ComfyUI is deployed could also be affected, potentially impacting multiple users.
• python / ComfyUI:
import os
import subprocess
# Check ComfyUI version
process = subprocess.Popen(['comfyui', '--version'], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
stdout, stderr = process.communicate()
version = stdout.decode('utf-8').strip()
if version == '0.3.40':
print('Vulnerable ComfyUI version detected!')
else:
print('ComfyUI version is not vulnerable.')• python / ComfyUI: Monitor file system for modifications to /comfy/utils.py
import os
import time
file_path = '/comfy/utils.py'
while True:
try:
last_modified = os.path.getmtime(file_path)
time.sleep(60) # Check every minute
current_modified = os.path.getmtime(file_path)
if current_modified != last_modified:
print(f'File {file_path} has been modified!')
break
except FileNotFoundError:
print(f'File {file_path} not found.')
breakdisclosure
patch
Statut de l'Exploit
EPSS
0.07% (percentile 21%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to upgrade ComfyUI to version 0.3.41 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing input validation on the attributes being set within the setattr function to restrict the values that can be assigned. While a direct WAF rule is unlikely, monitoring network traffic for unusual requests targeting /comfy/utils.py could provide early warning signs of exploitation attempts. After upgrading, confirm the fix by attempting to trigger the vulnerable setattr function with malicious input and verifying that it is properly handled.
Mettez à jour vers une version corrigée de comfyui qui résout la vulnérabilité de manipulation d'attributs d'objets déterminés dynamiquement. Si aucune version n'est disponible, envisagez d'appliquer un correctif manuel au fichier /comfy/utils.py ou de désactiver la fonctionnalité affectée jusqu'à ce qu'une mise à jour soit publiée.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-6107 is a vulnerability in ComfyUI versions 0.3.40–0.3.40 that allows attackers to manipulate object attributes, potentially leading to code execution or denial of service.
You are affected if you are running ComfyUI version 0.3.40. Upgrade to version 0.3.41 to mitigate the risk.
Upgrade ComfyUI to version 0.3.41 or later. If immediate upgrade is not possible, implement input validation on attribute settings.
The exploit has been publicly disclosed, increasing the likelihood of exploitation. Monitor your systems for suspicious activity.
Refer to the comfyanonymous GitHub repository for updates and advisories related to CVE-2025-6107.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.