Unrated severityNVD Advisory· Published Mar 20, 2025· Updated Oct 15, 2025
Cross-Site Request Forgery (CSRF) in comfyanonymous/comfyui
CVE-2024-10481
Description
A CSRF vulnerability exists in comfyanonymous/comfyui versions up to v0.2.2. This vulnerability allows attackers to host malicious websites that, when visited by authenticated ComfyUI users, can perform arbitrary API requests on behalf of the user. This can be exploited to perform actions such as uploading arbitrary files via the /upload/image endpoint. The lack of CSRF protections on API endpoints like /upload/image, /prompt, and /history leaves users vulnerable to unauthorized actions, which could be combined with other vulnerabilities such as stored-XSS to further compromise user sessions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=0.2.2
- comfyanonymous/comfyanonymous/comfyuiv5Range: unspecified
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.