Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-12882

CVE-2024-12882: Comfy ComfyUI SSRF Vulnerability

CVE-2024-12882 is a non-blind SSRF flaw in Comfy ComfyUI v0.2.4 that enables attackers to exploit REST APIs to access unauthorized resources using the victim server's credentials. This article covers technical details, affected versions, impact analysis, and mitigation strategies.

Published:

CVE-2024-12882 Overview

CVE-2024-12882 is a non-blind Server-Side Request Forgery (SSRF) vulnerability [CWE-918] affecting comfyanonymous/comfyui version 0.2.4. Attackers chain the POST /internal/models/download and GET /view REST API endpoints to force the ComfyUI server to fetch arbitrary URLs. The server's own credentials and network position are abused to reach internal or otherwise unauthorized web resources. Because the response is returned to the attacker, exposed data can include internal services, cloud metadata, and file contents.

Critical Impact

Unauthenticated network attackers can pivot through the ComfyUI server to reach internal HTTP resources and exfiltrate their contents.

Affected Products

  • ComfyUI (comfyanonymous/comfyui) version 0.2.4
  • Deployments exposing the ComfyUI internal REST API on reachable networks
  • AI/ML workflow platforms embedding ComfyUI 0.2.4 as a component

Discovery Timeline

  • 2025-03-20 - CVE-2024-12882 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-12882

Vulnerability Analysis

ComfyUI exposes an internal model download endpoint at POST /internal/models/download. The endpoint accepts a user-controlled URL and fetches it server-side without validating the destination host or scheme against an allowlist. The downloaded content is written to a location subsequently readable through GET /view.

By chaining the two endpoints, an attacker instructs the server to retrieve an internal URL and then reads the response body through /view. This transforms a one-way SSRF into a non-blind SSRF, returning the fetched content directly to the caller. The attack requires no authentication, no user interaction, and only network reachability to the ComfyUI HTTP interface.

Root Cause

The root cause is missing validation of the URL supplied to the model download handler. The application performs an outbound HTTP request to any host or scheme the caller provides, including RFC 1918 addresses, 127.0.0.1, and cloud metadata endpoints such as 169.254.169.254. Combined with the readable staging path exposed by /view, this results in a classic CWE-918 pattern.

Attack Vector

The attack vector is network-based and unauthenticated. An attacker sends a crafted POST /internal/models/download request specifying an internal or restricted URL as the download source. The ComfyUI process fetches the resource using its own outbound credentials and stores the response. The attacker then issues GET /view to retrieve the fetched content, effectively reading internal HTTP responses through the ComfyUI server.

Detailed exploitation steps are documented in the Huntr Bounty Announcement.

Detection Methods for CVE-2024-12882

Indicators of Compromise

  • Unexpected POST /internal/models/download requests where the download URL targets internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), 127.0.0.1, or 169.254.169.254.
  • Sequential access patterns pairing POST /internal/models/download with GET /view from the same source IP within a short window.
  • Outbound connections from the ComfyUI host to cloud instance metadata services or non-model hosting infrastructure.

Detection Strategies

  • Inspect HTTP request bodies to /internal/models/download and alert on URL parameters resolving to private, loopback, or link-local addresses.
  • Correlate ComfyUI application logs with egress firewall logs to identify server-initiated requests to unexpected destinations.
  • Baseline legitimate model download sources (for example Hugging Face, GitHub releases) and alert on deviations.

Monitoring Recommendations

  • Log all ComfyUI REST API traffic, including full request URIs and JSON bodies, to a centralized SIEM.
  • Monitor outbound DNS queries from ComfyUI hosts for lookups of internal-only hostnames.
  • Track file writes into ComfyUI model directories and correlate with the initiating API call source.

How to Mitigate CVE-2024-12882

Immediate Actions Required

  • Restrict network access to the ComfyUI HTTP interface using firewall rules, VPN, or reverse proxy authentication.
  • Block outbound connections from ComfyUI hosts to internal ranges and cloud metadata endpoints (169.254.169.254).
  • Disable or proxy the /internal/models/download endpoint if it is not required in production deployments.

Patch Information

No vendor patch is referenced in the enriched CVE data at the time of publication. Users of comfyanonymous/comfyui0.2.4 should track upstream releases on the project repository and upgrade to a version that validates download URLs. Consult the Huntr Bounty Announcement for remediation status.

Workarounds

  • Deploy ComfyUI behind an authenticating reverse proxy and require credentials before any request reaches the application.
  • Enforce an egress allowlist that permits only known model repository domains from ComfyUI hosts.
  • Run ComfyUI in a network segment with no route to internal services or cloud metadata endpoints.
bash
# Example iptables egress restriction for a ComfyUI host
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -d huggingface.co -j ACCEPT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.