CVE Details
Basic Information
| Title | comfyanonymous comfyui utils.py set_attr dynamically-determined object attributes |
|---|---|
| Type | cve |
| Published | 2025-06-16T05:00:10.834Z |
| Last Seen |
Product Information
| Vendor | comfyanonymous |
|---|---|
| Product | comfyui |
| Version | 0.3.40 |
CVSS Information
| Base Score | 2.3 (LOW) |
|---|---|
| Attack Vector | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P |
| Confidentiality Impact | |
| Integrity Impact | |
| Availability Impact |
AI Analysis
| AI Description | A vulnerability in comfyui 0.3.40 allows remote attackers to manipulate dynamically-determined object attributes via the set_attr function in utils.py. The attack is complex and difficult to exploit, but the exploit has been publicly disclosed and may be used. The vendor did not respond to early disclosure. |
|---|---|
| AI Severity | Low |
| Vendor | comfyanonymous |
| Product | comfyui |
| Affected Version | 0.3.40 |
Affected Products
- comfyanonymous comfyui 0.3.40
Additional Information
| CVE List | |
|---|---|
| CWE List | CWE-915, CWE-913 |
| Bulletin Family |
References
Description
A vulnerability was found in comfyanonymous comfyui 0.3.40. It has been classified as problematic. Affected is the function set_attr of the file /comfy/utils.py. The manipulation leads to dynamically-determined object attributes. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.