Vulnerability in ComfyUI-Impact-Pack Could Lead to Remote Code Execution
CVE-2024-21575

8.6HIGH

Key Information:

Vendor: Ltdrdata
Status: Comfyui-impact-pack
Vendor: CVE Published:; 12 December 2024

What is CVE-2024-21575?

The ComfyUI-Impact-Pack extension contains a Path Traversal vulnerability due to inadequate validation of the image.filename parameter in POST requests directed to the /upload/temp endpoint. This flaw allows attackers to manipulate the file paths, writing arbitrary files to the server's filesystem. In certain scenarios, this vulnerability can escalate to remote code execution, potentially compromising the entire system. Users and admins of affected versions are advised to implement immediate remediation measures and monitor for any unauthorized file uploads.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

ComfyUI-Impact-Pack 0 < 7.6.2

References

https://github.com/ltdrdata/ComfyUI-Impact-Pack/commit/a4...

https://github.com/ltdrdata/ComfyUI-Impact-Pack/blob/1087...

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 12, 2024
Vulnerability Reserved
Dec 22, 2023

Credit

Raul Onitza-Klugman (Snyk Security Research)

JSON

Ltdrdata

What is CVE-2024-21575?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.