CVE-2024-10481

Name of the Vulnerable Software and Affected Versions comfyanonymous/comfyui versions up to v0.2.2

Description A CSRF issue exists, allowing attackers to host malicious websites that can perform arbitrary API requests on behalf of authenticated users when visited. This can be exploited to upload arbitrary files via the "/upload/image" endpoint. The lack of CSRF protections on API endpoints like "/upload/image", "/prompt", and "/history" leaves users vulnerable to unauthorized actions.

Recommendations For versions up to v0.2.2, as a temporary workaround, consider disabling access to the vulnerable API endpoints "/upload/image", "/prompt", and "/history" until a patch is available. Restrict access to these endpoints to minimize the risk of exploitation. Avoid using these endpoints in user sessions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.