CVE-2024-12882

High CVSS: 7.5

comfyanonymous/comfyui version v0.2.4 suffers from a non-blind Server-Side Request Forgery (SSRF) vulnerability. This vulnerability can be exploited by combining the REST APIs `POST /internal/models/download` and `GET /view`, allowing attackers to abuse the victim server's credentials to access unauthorized web resources.

Vendor

Comfy

Product

Comfyui

CWE

CWE-918

Yayın Tarihi

2025-03-20 10:15:31

Güncelleme

2025-08-01 01:18:23

Source Identifier

security@huntr.dev

KEV Date Added

Kategoriler

CWE-918 Comfyui HIGH Comfy 2025

Referanslar

https://huntr.com/bounties/e8768cb1-6a80-40c1-9cdf-bcd21f01f85a

Benzer Kayıtlar

High

CVE-2026-22777

ComfyUI-Manager is an extension designed to enhance the usability of ComfyUI. Prior to versions 3.39.2 and 4.0.5, an att…

High

CVE-2025-67303

An issue in ComfyUI-Manager prior to version 3.38 allowed remote attackers to potentially manipulate its configuration a…

Medium

CVE-2024-10481

A CSRF vulnerability exists in comfyanonymous/comfyui versions up to v0.2.2. This vulnerability allows attackers to host…