CVE-2024-10481

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-10481

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-10481.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-10481

Published

2025-03-20T10:15:17.010Z

Modified

2025-11-15T15:11:51.958151Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

A CSRF vulnerability exists in comfyanonymous/comfyui versions up to v0.2.2. This vulnerability allows attackers to host malicious websites that, when visited by authenticated ComfyUI users, can perform arbitrary API requests on behalf of the user. This can be exploited to perform actions such as uploading arbitrary files via the /upload/image endpoint. The lack of CSRF protections on API endpoints like /upload/image, /prompt, and /history leaves users vulnerable to unauthorized actions, which could be combined with other vulnerabilities such as stored-XSS to further compromise user sessions.

References

https://huntr.com/bounties/f4d5bfb5-6ff1-4356-b81f-f8c01d2e6ded

Affected packages

Git / github.com/comfyanonymous/comfyui

Affected ranges

Type: GIT
Repo: https://github.com/comfyanonymous/comfyui
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

0c7c98a965bff25f9398a4b28dfc274bedad9f6c

Affected versions

Other

latest

v0.*

v0.0.1

v0.0.2

v0.0.4

v0.0.5

v0.0.6

v0.0.7

v0.0.8

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.2.0

v0.2.1

v0.2.2