Remote Code Execution Vulnerability in Custom Node Installation Endpoint
CVE-2024-21574

10CRITICAL

Key Information:

Vendor: Ltdrdata
Status: Comfyui-manager
Vendor: CVE Published:; 12 December 2024

Summary

A significant security issue exists in ComfyUI-Manager, where the lack of validation for the pip field in POST requests to the /customnode/install endpoint can be exploited. This vulnerability allows an attacker to create a malicious request that could result in unauthorized pip installations from user-controlled packages or URLs. Consequently, this behavior enables the potential for remote code execution on the server, posing a serious risk to the integrity and confidentiality of the server's environment.

Affected Version(s)

ComfyUI-Manager 0 < 2.51.1

References

https://github.com/ltdrdata/ComfyUI-Manager/commit/ffc095...

https://github.com/ltdrdata/ComfyUI-Manager/blob/ffc095a3...

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 12, 2024
Vulnerability Reserved
Dec 22, 2023

Credit

Raul Onitza-Klugman (Snyk Security Research)