ComfyUI-Bmad-Nodes is vulnerable to Code Injection. The issue stems from a validation bypass in the BuildColorRangeHSVAdvanced, FilterContour and FindContour custom nodes. In the entrypoint function to each node, there’s a call to eval which can be triggered by generating a workflow that injects a crafted string into the node. This can result in executing arbitrary code on the server.
Metrics
Affected Vendors & Products
References
History
Mon, 23 Dec 2024 18:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Fri, 13 Dec 2024 11:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | ComfyUI-Bmad-Nodes is vulnerable to Code Injection. The issue stems from a validation bypass in the BuildColorRangeHSVAdvanced, FilterContour and FindContour custom nodes. In the entrypoint function to each node, there’s a call to eval which can be triggered by generating a workflow that injects a crafted string into the node. This can result in executing arbitrary code on the server. | |
Weaknesses | CWE-94 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: snyk
Published: 2024-12-13T11:17:00.945Z
Updated: 2024-12-23T18:11:35.222Z
Reserved: 2023-12-22T12:33:20.131Z
Link: CVE-2024-21576
Vulnrichment
Updated: 2024-12-23T18:11:30.346Z
NVD
Status : Received
Published: 2024-12-13T12:15:19.753
Modified: 2024-12-13T12:15:19.753
Link: CVE-2024-21576
Redhat
No data.