Remote Code Execution Vulnerability in Custom Node Installation Endpoint
CVE-2024-21574

10CRITICAL

Key Information:

Vendor: Ltdrdata
Status: Comfyui-manager
Vendor: CVE Published:; 12 December 2024

What is CVE-2024-21574?

A significant security issue exists in ComfyUI-Manager, where the lack of validation for the pip field in POST requests to the /customnode/install endpoint can be exploited. This vulnerability allows an attacker to create a malicious request that could result in unauthorized pip installations from user-controlled packages or URLs. Consequently, this behavior enables the potential for remote code execution on the server, posing a serious risk to the integrity and confidentiality of the server's environment.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

ComfyUI-Manager 0 < 2.51.1

References

https://github.com/ltdrdata/ComfyUI-Manager/commit/ffc095...

https://github.com/ltdrdata/ComfyUI-Manager/blob/ffc095a3...

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 12, 2024
Vulnerability Reserved
Dec 22, 2023

Credit

Raul Onitza-Klugman (Snyk Security Research)

JSON

Ltdrdata

What is CVE-2024-21574?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.