Skip to content

Instantly share code, notes, and snippets.

View superboy-zjc's full-sized avatar

2h0ng superboy-zjc

28 followers · 157 following
View GitHub Profile
@superboy-zjc
superboy-zjc / ComfyUI-class-pollution.md
Last active June 18, 2025 01:48
ComfyUI is vulnerable to Class Pollution Vulnerability, Leading to DoS

Summary

ComfyUI is vulnerable to python class pollution vulnerability. When a malicious controlLora model, containing the dotted pollution path in its state dict, is loaded via the controlNet loader, ComfyUI unconditionally patch model parameters based on the polluted key and their value, which can be abused leading to arbitrary internal state modification, thus achieving DoS attack.

  • Status: Assigned
  • CVE: CVE-2025-6107

Root Cause

The vulnerable function set_attr was designed to handle the model patching and state dict loading in the ComfyUI workflow. However, it does not limit the access and modification scope. A delicatedly crafted model can carry malicious state dict key-value pairs, such as 'time_embed.__class__.__base__.__getattribute__' = torch.rand(1) that allow attackers to modify internal class attributes in the python runtime.

# https://github.com/comfyanonymous/ComfyUI/blob/19e45e9b0e235acafc120a7532ce3825b8a325b9/comfy/utils.py#L
@superboy-zjc
superboy-zjc / comfyui-xss.md
Last active June 18, 2025 01:48
ComfyUI is Vulnerable to Cross Site Scripting Vulnerability

Summary

ComfyUI is vulnerable to Cross Site Scripting vulnerability. Attackers can exploit the vulnerability by uploading .svg, .xhtml, etc., files containing the trigerable javascript payloads, which bypasses the patch for CVE-2024-10099.

  • Status: Assigned
  • CVE: CVE-2025-6092

Root Cause

The security check added for CVE-2024-10099 only fixes the content type render for the .html, .htm, .js, .css file extensions, yet the patch is not sufficient and there are many other extensions modern browsers support the execution of javascript code.

# https://github.com/comfyanonymous/ComfyUI/blob/97f23b81f3421255ec4b425d2d8f4841207e0cd8/server.py#L481
    ...
@superboy-zjc
superboy-zjc / gradio.md
Last active June 18, 2025 01:49
Gradio CORS Origin Validation Bypass Enables Cross-Origin Data Exfiltration

Gradio CORS Origin Validation Bypass Vulnerability

Summary

Gradio's CORS configuration is designed to protect internally deployed applications from attack vectors such as CSRF and data exfiltration attacks originating from external sources. However, the current implementation contains flaws that allow malicious actors to bypass the CORS origin validation, fixed at CVE-2024-47165. This vulnerability can be exploited to steal sensitive data from internally deployed Gradio applications, even when they are intended to be protected against such attacks.

  • Status: Assigned
  • CVE: CVE-2025-5320

Affected Version

@superboy-zjc
superboy-zjc / django-unicorn-rce.md
Last active June 27, 2025 20:59
django-unicorn class pollution leading to RCE, XSS, Auth Bypass and DoS

Summary

Django-Unicorn is vulnerable to python class pollution vulnerability, a new type of vulnerability categorized under CWE-915. The vulnerability arises from the core functionality set_property_value, which can be remotely triggered by users by crafting appropriate component requests and feeding in values of second and third parameter to the vulnerable function, leading to arbitrary changes to the python runtime status.

With this finding, so far we've found at least five ways of vulnerability exploitation, stably resulting in Cross-Site Scripting (XSS), Denial of Service (DoS), and Authentication Bypass attacks in almost every Django-Unicorn-based application.

  • Status: Assigned
  • CVE: CVE-2025-24370

Analysis of Vulnerable Function

@superboy-zjc
superboy-zjc / cors-private-gpt.md
Last active June 27, 2025 21:00
CORS Misconfiguration Vulnerability Leading to Sensitive Information Leak in PrivateGPT

CORS Misconfiguration Vulnerability Leading to Sensitive Information Leak in PrivateGPT

Summary

Private GPT is a production-ready AI solution enabling secure, private queries on documents using Large Language Models (LLMs). Designed for privacy, it operates without an Internet connection, ensuring no data leaves the execution environment.

However, Private GPT's CORS settings are insecurely misconfigured, allowing any origin to interact with the application without restriction. This flaw exposes sensitive user data when victims are visiting attackers' website. By exploiting the CORS misconfiguration vulnerability, attackers bypass the intended isolation of Private GPT and are able to fully interact with it. Even in environments deployed on internal networks, attackers are able to chat and extract sensitive information such as credentials, private documents, or any information from previously uploaded materials.

  • Status: Assigned
  • CVE: CVE-2025-4515
@superboy-zjc
superboy-zjc / open-event-server-encryption-oracle.md
Last active March 24, 2025 00:32
Open event server has an token encryption-oracle leading to email verification bypass

Open event server has an token encryption-oracle leading to email verification bypass

Summary

Open event server has a token encryption-oracle, by leveraging which attackers can craft any email address' verification token, leading to email verification bypass.

Vulnerability Analysis

What is Encryption Oracle Attack

@superboy-zjc
superboy-zjc / open-event-server-pe.md
Last active March 25, 2025 03:38
open-event-server is vulnerable to mass assignment attack, leading to privilege escalation

open-event-server is vulnerable to mass assignment attack, leading to privilege escalation

Proof of Concept

Set is-admin to true when updating self-profile.

PATCH /v1/users/[YOUR_ID] HTTP/1.1
Host: target
Authorization: JWT YOUR_TOKEN
Content-Type: application/vnd.api+json
@superboy-zjc
superboy-zjc / open-event-server.md
Last active March 24, 2025 01:18
Logic vulnerability in open-event-server, leading to email verification bypass

Logic vulnerability in open-event-server, leading to email verification bypass

Summary

Open event server is vulnerable to email verification bypass. Attackers can arbitrarily register any email address as account with verified status.

Proof of Concept

  • Attacker first registers an account with their own email address and verify it
  • Attacker create a group with an arbitrary name
@superboy-zjc
superboy-zjc / sverchok_class_pollution.md
Created March 19, 2025 18:36
sverchok class pollution vulnerability leading to github token stolen

Sverchok Class Pollution Vulnerability Leading to Arbitrary Python Runtime Tampering

Summary

Sverchok is a popular Blender addon for dataflow programming. It's Set Property Mk2 node has a class pollution vulnerability that accepts arbitrary object path to propogate property value which leads to arbitrary python runtime pollution.

An sophisticated attacker can trick victims into loading their malicious model file, which allow attackers to tamper with the python runtime to achieve stealthyly dangerous consequences, such as token stealing, DoS, etc.

Root Cause

@superboy-zjc
superboy-zjc / invitation-hell.md
Last active March 16, 2025 20:54

The Invitation Hell

Summary

We've identitied invitation functionality in the web app introduces a lot security concerns. This project aims at systematically investigating common vulnerabilties frequently happened and their unique impacts in the invitation functionality.

Break down

Why invitation functionality causes so many security vulnerabilities?

The app backend needs to manage the invitation token cross a long time (at least days), so we've seen token reuse frequently happens. And they wanna attract more users into the app, thus sometimes, they simply give invited users' privilege to bypass the email verification and even unverified email users can get invitation banner.