CVE-2024-21574 Overview
CVE-2024-21574 is a critical remote code execution vulnerability in ComfyUI-Manager, a popular extension for managing custom nodes in the ComfyUI AI image generation framework. The vulnerability exists due to missing validation of the pip field in POST requests sent to the /customnode/install endpoint. This allows unauthenticated attackers to craft malicious requests that trigger pip install commands with attacker-controlled packages or URLs, resulting in arbitrary remote code execution on the server.
Critical Impact
This vulnerability enables unauthenticated remote code execution on systems running vulnerable versions of ComfyUI-Manager. Attackers can execute arbitrary commands with the privileges of the ComfyUI process, potentially compromising the entire server and any connected AI infrastructure.
Affected Products
- ComfyUI-Manager versions prior to V2.51.1
- ComfyUI installations using the vulnerable ComfyUI-Manager extension
- Self-hosted AI image generation servers running ComfyUI with the Manager extension
Discovery Timeline
- December 12, 2024 - CVE-2024-21574 published to NVD
- December 12, 2024 - Last updated in NVD database
Technical Details for CVE-2024-21574
Vulnerability Analysis
This vulnerability is classified as CWE-94 (Code Injection), specifically manifesting as an arbitrary package installation flaw that leads to remote code execution. The root issue lies in the /customnode/install endpoint exposed by ComfyUI-Manager's server component, which processes POST requests for installing custom nodes without properly validating the pip field contents.
When a user or attacker sends a request to this endpoint, the server directly passes the pip field value to the pip package manager for installation. Since no validation exists to verify whether the package name or URL is legitimate or comes from a trusted source, an attacker can inject a malicious Python package hosted on PyPI or any arbitrary URL pointing to a malicious package archive.
The impact is severe because pip installation inherently involves executing Python code during the package setup process. A malicious setup.py file within the attacker's package can execute arbitrary commands with the same privileges as the ComfyUI server process, typically the user account running the AI generation workload.
Root Cause
The root cause is a complete absence of input validation on the pip field in the custom node installation request handler. The manager_server.py module directly processes user-supplied package identifiers without sanitization, allowlisting, or verification against known-good package registries. This allows arbitrary package URLs and names to be passed directly to pip execution.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker with network access to the ComfyUI-Manager server can send a crafted POST request to the /customnode/install endpoint with a malicious pip field value. This field can contain:
- A malicious package name hosted on PyPI with a trojanized setup.py
- A direct URL to an attacker-controlled package archive (.tar.gz or .whl)
- A Git repository URL containing malicious installation scripts
The security patch introduced a block security level and enhanced the is_allowed_security_level function to prevent installation operations in restricted configurations:
def is_allowed_security_level(level):
if level == 'block':
return False
elif level == 'high':
if is_local_mode:
return core.get_config()['security_level'].lower() in ['weak', 'normal-']
else:
Source: GitHub Commit
The version was also incremented to reflect the security fix:
import cm_global
from manager_util import *
version = [2, 51, 1]
version_str = f"V{version[0]}.{version[1]}" + (f'.{version[2]}' if len(version) > 2 else '')
Source: GitHub Commit
Detection Methods for CVE-2024-21574
Indicators of Compromise
- Unusual POST requests to the /customnode/install endpoint from external IP addresses
- Pip installation logs showing unexpected package names or external URLs
- New Python packages installed in the ComfyUI environment that are not part of legitimate custom nodes
- Unexpected outbound network connections from the ComfyUI server process
- Suspicious child processes spawned from the Python/ComfyUI process
Detection Strategies
- Monitor web server access logs for POST requests to /customnode/install containing URL patterns or unfamiliar package names in request bodies
- Implement network intrusion detection rules for suspicious pip install commands executed over HTTP
- Deploy file integrity monitoring on the ComfyUI installation directory to detect unauthorized package installations
- Use application-level logging to capture all custom node installation attempts with full request details
Monitoring Recommendations
- Enable verbose logging in ComfyUI-Manager to capture all installation requests
- Implement network segmentation to restrict ComfyUI servers from accessing external package repositories
- Deploy SentinelOne agents on ComfyUI servers to detect suspicious process execution and file modifications
- Monitor for unusual pip activity including installations from non-PyPI sources
How to Mitigate CVE-2024-21574
Immediate Actions Required
- Update ComfyUI-Manager to version V2.51.1 or later immediately
- Restrict network access to the ComfyUI-Manager endpoints using firewall rules
- Audit recent installation logs for any suspicious package installations
- Consider temporarily disabling the custom node installation functionality until patched
- Review running processes on affected servers for signs of compromise
Patch Information
The vulnerability has been addressed in ComfyUI-Manager commit ffc095a3. The fix introduces a block security level that prevents installation operations entirely, providing administrators with the ability to disable this high-risk functionality. Users should update to version V2.51.1 or later to receive this security fix.
Workarounds
- Set the security level to block in the ComfyUI-Manager configuration to disable custom node installation functionality
- Place the ComfyUI-Manager server behind an authenticated reverse proxy to prevent unauthenticated access
- Use network firewall rules to restrict access to the /customnode/install endpoint from trusted IP addresses only
- Run ComfyUI in an isolated container or virtual machine to limit the impact of potential exploitation
# Configuration example: Restrict network access to ComfyUI-Manager
# Add to your firewall rules (iptables example)
iptables -A INPUT -p tcp --dport 8188 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 8188 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8188 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
