CVE-2024-21576
📋 TL;DR
ComfyUI-Bmad-Nodes contains a critical code injection vulnerability in three custom nodes (BuildColorRangeHSVAdvanced, FilterContour, FindContour) that allows remote code execution via crafted workflows. Attackers can execute arbitrary code on servers running vulnerable versions. This affects all users of ComfyUI-Bmad-Nodes who process untrusted workflows.
💻 Affected Systems
- ComfyUI-Bmad-Nodes
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attackers to execute arbitrary commands, steal data, install malware, pivot to other systems, and maintain persistent access.
Likely Case
Remote code execution leading to data theft, cryptocurrency mining, or ransomware deployment on vulnerable servers.
If Mitigated
Limited impact if proper network segmentation, least privilege, and input validation are implemented, though risk remains significant.
🎯 Exploit Status
Exploitation requires crafting a malicious workflow file but doesn't require authentication. The eval() vulnerability pattern is well-known and easily weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown from provided references - check GitHub repository for latest version
Vendor Advisory: https://github.com/bmad4ever/comfyui_bmad_nodes
Restart Required: Yes
Instructions:
1. Check GitHub repository for security updates. 2. Update to latest patched version. 3. Restart ComfyUI service. 4. Verify eval() calls have been removed or properly sanitized in cv_nodes.py.
🔧 Temporary Workarounds
Disable vulnerable nodes
allRemove or disable BuildColorRangeHSVAdvanced, FilterContour, and FindContour nodes from ComfyUI installation
mv /path/to/comfyui_bmad_nodes/cv_nodes.py /path/to/comfyui_bmad_nodes/cv_nodes.py.backup
Restart ComfyUI service
Network isolation
linuxRestrict ComfyUI instance to internal network only with firewall rules
iptables -A INPUT -p tcp --dport [comfyui_port] -s [trusted_network] -j ACCEPT
iptables -A INPUT -p tcp --dport [comfyui_port] -j DROP
🧯 If You Can't Patch
- Isolate ComfyUI instance in separate network segment with no internet access
- Implement strict input validation and workflow sanitization before processing
🔍 How to Verify
Check if Vulnerable:
Check cv_nodes.py for eval() calls in BuildColorRangeHSVAdvanced, FilterContour, and FindContour functions around line 1814Check Version:
Check package version or git commit hash of comfyui_bmad_nodes installationVerify Fix Applied:
Verify eval() calls have been removed or replaced with safe alternatives in patched version📡 Detection & Monitoring
Log Indicators:
- Unusual Python process execution from ComfyUI
- Workflow processing errors containing eval syntax
- Suspicious command execution in system logs
Network Indicators:
- Unexpected outbound connections from ComfyUI server
- Workflow submissions containing Python code patterns
SIEM Query:
source="comfyui.log" AND ("eval" OR "exec" OR "subprocess")