Vulnerability Summary Vulnerability Overview Vulnerability ID: #791112 Vulnerability Name: comfyanonymous ComfyUI <= 0.13.0 Path Traversal (CWE-22) Vulnerability Type: Path Traversal Vulnerability Affected Component: function in Trigger Condition: Pass sequences via the input field of the API to bypass path validation in . Impact Scope Affected Versions: ComfyUI <= 0.13.0 (commit 6648ab68) Affected Modules: - LoadImage - LoadImageMask - LoadImageOutput - LoadLatent - LoadAudio - LoadVideo - Load3D - Load3DAnimation Potential Risks: - Read arbitrary files (e.g., SSH keys, configuration files, database paths, etc.) - Leak image content through the chain: LoadImage → PreviewImage → /view Remediation Root Cause: The function does not perform path safety checks on the result of , leading to path traversal attacks. Remediation Recommendations: - Add path safety checks in the function to ensure the path does not contain illegal characters such as . - Perform strict input validation and filtering for all operations involving file paths. POC Code