CSRF Vulnerability in ComfyUI Installation Endpoint
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the ComfyUI installation endpoint of the lollms-webui software, affecting version v9.9. This vulnerability allows an attacker to trick a victim into installing ComfyUI, potentially causing a crash if the victim's device lacks sufficient capacity. The issue was patched in version 9.9.
Available publicly on Oct 12 2024 | Available with Premium on Jul 10 2024
Threat Overview
The vulnerability arises from the use of the GET method for the ComfyUI installation endpoint without requiring any form of authentication or client identification. This allows an attacker to craft a malicious webpage that, when visited by a victim, automatically triggers the installation of ComfyUI on the victim's device. If the device does not have sufficient capacity, this can lead to a crash, potentially disrupting the victim's operations.
Attack Scenario
An attacker creates a malicious webpage containing a form that sends a GET request to the ComfyUI installation endpoint. The attacker then tricks the victim into visiting this webpage. When the victim's browser loads the page, the form is automatically submitted, triggering the installation of ComfyUI on the victim's device without their knowledge. If the device lacks sufficient capacity, it may crash.
Who is affected
Users running the lollms-webui software version v9.9 who have not yet updated to the patched version are affected. This includes any deployment where the server is accessible and the ComfyUI installation endpoint is exposed.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.