CVE-2024-10481
NONE EPSS 10.9%
Published Mar 20, 20251y ago · Modified Jun 17, 20262w ago
Published Mar 20, 2025 1y ago
Last Modified Jun 17, 2026 2w ago
Description
A CSRF vulnerability exists in comfyanonymous/comfyui versions up to v0.2.2. This vulnerability allows attackers to host malicious websites that, when visited by authenticated ComfyUI users, can perform arbitrary API requests on behalf of the user. This can be exploited to perform actions such as uploading arbitrary files via the `/upload/image` endpoint. The lack of CSRF protections on API endpoints like `/upload/image`, `/prompt`, and `/history` leaves users vulnerable to unauthorized actions, which could be combined with other vulnerabilities such as stored-XSS to further compromise user sessions.
Threat Intelligence
EPSS Exploit Probability
10.9% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available
Weaknesses 1
CWE-352 Cross-Site Request Forgery (CSRF) Authentication
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| comfy | comfyui | * | ≤0.2.2 |
References 1
- huntr.com https://huntr.com/bounties/f4d5bfb5-6ff1-4356-b81f-f8c01d2e6ded
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.