Compliance Impact

The vulnerability allows attackers to execute stored cross-site scripting (XSS) attacks by uploading malicious files that execute JavaScript in the context of the ComfyUI origin.

This enables attackers to access and steal sensitive data stored in the victim’s localStorage, including workflows, settings, and session data, and perform arbitrary API calls on behalf of the victim.

Such unauthorized access and potential data exfiltration could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, this vulnerability poses a risk to compliance with these common standards and regulations by potentially exposing sensitive user data and compromising application integrity.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in ComfyUI up to version 0.13.0, specifically in the getuserdata function within the app/user_manager.py file of the userdata Endpoint component.

The issue allows an attacker to perform cross-site scripting (XSS) attacks by manipulating this function.

The attack can be executed remotely, meaning an attacker does not need local access to exploit it.

The vulnerability has been publicly disclosed and the vendor did not respond to the notification.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to cross-site scripting attacks, which may allow attackers to execute malicious scripts in the context of the affected application.

Such attacks can result in the theft of user session tokens, defacement of the website, or redirection to malicious sites.

Since the attack can be performed remotely, it increases the risk of exploitation without requiring physical or internal network access.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the /userdata/{file} endpoint for the ability to upload and serve files with unsafe MIME types that allow script execution, such as .html or .svg files containing JavaScript.

A practical approach is to upload a malicious HTML file containing JavaScript via a POST request and then access the uploaded file to verify if the script executes.

Example commands to detect the vulnerability include:

• Upload a test HTML file with embedded JavaScript using curl: curl -X POST "http://127.0.0.1:8188/userdata/test_xss.html" -d '<html><body><script>alert(document.domain)</script></body></html>'
• Access the uploaded file in a browser to check if the JavaScript executes.
• Verify the Content-Type header returned by the server using curl: curl -D - "http://127.0.0.1:8188/userdata/test_xss.html"

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting or disabling the ability to upload files to the /userdata endpoint, especially files with extensions that can be interpreted as executable scripts such as .html and .svg.

Implement Content-Type sanitization on the /userdata endpoint similar to the /view endpoint by forcing dangerous MIME types to application/octet-stream to prevent script execution.

Until a patch is available, consider restricting access to the /userdata endpoint to trusted users only or disabling the endpoint if possible.

Monitor and audit uploaded files for suspicious content and remove any files that could be exploited.

Useful 0 Not Useful 0