CVE-2024-21574

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-21574
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-21574.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-21574
Published
2024-12-12T09:15:06Z
Modified
2025-01-15T05:06:26.430558Z
Summary
[none]
Details

The issue stems from a missing validation of the pip field in a POST request sent to the /customnode/install endpoint used to install custom nodes which is added to the server by the extension. This allows an attacker to craft a request that triggers a pip install on a user controlled package or URL, resulting in remote code execution (RCE) on the server.

References

Affected packages

Git / github.com/ltdrdata/comfyui-manager

Affected ranges

Type
GIT
Repo
https://github.com/ltdrdata/comfyui-manager
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

2.*

2.48.1
2.48.2
2.48.3
2.48.4
2.48.6
2.48.7
2.50
2.50.1