We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
ComfyUI-Bmad-Nodes is vulnerable to Code Injection. The issue stems from a validation bypass in the BuildColorRangeHSVAdvanced, FilterContour and FindContour custom nodes. In the entrypoint function to each node, there’s a call to eval which can be triggered by generating a workflow that injects a crafted string into the node. This can result in executing arbitrary code on the server.
Reserved 2023-12-22 | Published 2024-12-13 | Updated 2024-12-23 | Assigner snykRaul Onitza-Klugman (Snyk Security Research)
github.com/...490cbadf32a1fe92ff820ebabe88c51ee8/cv_nodes.py
Support options