Platform
python
Component
comfyanonymous/comfyui
CVE-2024-12882 describes a Server-Side Request Forgery (SSRF) vulnerability found in ComfyUI, a Python-based UI for Stable Diffusion. This flaw allows attackers to leverage the ComfyUI server to make requests to internal or external resources, potentially exposing sensitive data or performing unauthorized actions. The vulnerability impacts versions up to the latest release and can be mitigated by upgrading to a patched version. The vulnerability was publicly disclosed on March 20, 2025.
The SSRF vulnerability in ComfyUI allows an attacker to craft malicious requests through the /internal/models/download and /view endpoints. By manipulating these requests, an attacker can force the ComfyUI server to make requests to arbitrary URLs, effectively using the server as a proxy. This can lead to the exposure of internal network resources, access to sensitive data stored on those resources, and potentially even the execution of arbitrary code on systems accessible from the ComfyUI server. The blast radius extends to any internal network segment accessible by the ComfyUI server, making it a significant security risk.
The vulnerability is publicly known and documented. While no active exploitation campaigns have been confirmed as of March 20, 2025, the ease of exploitation and the potential impact make it a likely target for attackers. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is expected to emerge shortly following public disclosure.
Organizations running ComfyUI, particularly those with internal network resources accessible from the server, are at risk. Environments utilizing ComfyUI for sensitive tasks or data processing are especially vulnerable. Shared hosting environments where ComfyUI is deployed alongside other applications should be carefully assessed for potential cross-tenant impact.
• python / server:
import requests
import urllib.parse
def check_ssrf(url):
try:
parsed_url = urllib.parse.urlparse(url)
if parsed_url.scheme in ('http', 'https'):
response = requests.get(url, timeout=5)
print(f"URL: {url}, Status Code: {response.status_code}")
else:
print(f"Invalid URL scheme: {url}")
except requests.exceptions.RequestException as e:
print(f"Error accessing {url}: {e}")
# Example usage - check a potentially malicious URL
check_ssrf("http://localhost/internal/sensitive/data")• generic web:
curl -I 'http://your-comfyui-server/internal/models/download?url=http://internal-resource/'disclosure
Exploit Status
EPSS
0.13% (32% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-12882 is to upgrade ComfyUI to a patched version as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. These may include restricting network access to the ComfyUI server, implementing strict firewall rules to limit outbound connections, and carefully reviewing and validating all user inputs to prevent malicious URL manipulation. Monitoring network traffic for unusual outbound requests originating from the ComfyUI server can also help detect potential exploitation attempts. After upgrade, confirm by attempting a request to an internal resource and verifying that it is properly blocked or handled according to your security policies.
Werk bij naar een versie later dan 0.2.4 van ComfyUI. Dit zal de SSRF kwetsbaarheid oplossen. Raadpleeg de release notes voor meer details over de update.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-12882 is a Server-Side Request Forgery vulnerability in ComfyUI versions up to the latest, allowing attackers to make requests through the server to access unauthorized resources.
If you are running ComfyUI version ≤latest, you are potentially affected by this SSRF vulnerability. Assess your network configuration and implement mitigations.
Upgrade ComfyUI to the patched version as soon as it's released. Until then, implement temporary workarounds like restricting network access and validating user inputs.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation makes it a likely target. Monitor your systems for suspicious activity.
Refer to the Comfyanonymous/comfyui GitHub repository and related security announcements for the official advisory and patch information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.