Server-Side Request Forgery in ComfyUI by ComfyAnonymous
CVE-2024-12882

7.5HIGH

Key Information:

Vendor: Comfyanonymous
Status: Comfyanonymous/comfyui
Vendor: CVE Published:; 20 March 2025

🔔 Create Comfyanonymous Vulnerability Alert

What is CVE-2024-12882?

A non-blind Server-Side Request Forgery (SSRF) vulnerability exists in ComfyUI version v0.2.4, which can be exploited by attacking specific REST API endpoints. By leveraging the POST /internal/models/download and GET /view APIs, malicious actors can manipulate the victim server into making unauthorized requests, potentially exposing sensitive web resources and compromising security credentials.

Affected Version(s)

comfyanonymous/comfyui <= unspecified

References

https://huntr.com/bounties/e8768cb1-6a80-40c1-9cdf-bcd21f...

CVSS V3.0

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Dec 20, 2024

JSON