Cradicle Explorer

/ data / vuln_en / ComfyUI-Ace-Nodes / CVE-2024-21577.yaml
CVE-2024-21577.yaml
 1  info:
 2    name: ComfyUI-Ace-Nodes
 3    cve: CVE-2024-21577
 4    summary: Code Injection vulnerability in ComfyUI-Ace-Nodes
 5    details: |
 6      The ACE_ExpressionEval node in ComfyUI-Ace-Nodes contains an eval() in its entrypoint function that accepts arbitrary user-controlled data.
 7      A user can create a workflow that results in executing arbitrary code on the server.
 8    cvss: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
 9    severity: CRITICAL
10    security_advise: |
11      1. Immediately update to the latest version of ComfyUI-Ace-Nodes.
12      2. Review and modify the ACE_ExpressionEval node to eliminate the use of eval().
13      3. Implement strict input validation to prevent arbitrary code execution.
14  rule: ""
15  references:
16    - https://nvd.nist.gov/vuln/detail/CVE-2024-21577
17    - https://github.com/hay86/ComfyUI_AceNodes/blob/5ba01db8a3b7afb8e4aecfaa48823ddeb132bbbb/nodes.py#L1193