[security] class pollution vulnerability

[superboy-zjc]

fix the security issue reported at: https://github.com/comfyanonymous/ComfyUI/security/advisories/GHSA-88r9-f379-rhhg

[Kosinkadink]

Looks good, I will raise this to the team later today to try to get it merged quickly.

[superboy-zjc]

HI @Kosinkadink Could the team also acknowledge the vulnerability report I sent via the security page? Thx!

[comfyanonymous]

3b4b171

And can you please not report minor bugs as major security vulns. Bugs like this should be reported as a normal issue.

[superboy-zjc]

3b4b171

And can you please not report minor bugs as major security vulns. Bugs like this should be reported as a normal issue.

Thanks for your response, but I think there’s a misunderstanding here.

1. This isn’t a "minor bug". This is a documented and exploitable security weakness, according to CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes and OWASP Top 10 categories. It’s a security flaw that affects stability. If you don’t consider that a vulnerability, that’s your call, but most security standards (like CWE/OWASP) would disagree.

2. You should know we’re not asking for money or credit. We reported this for free because we care about open-source security. A simple "thanks" or even just a constructive discussion would’ve been fine. Instead, the dismissive tone makes it seem like you don’t value outside contributions.

3. If you don’t want security reports labeled as such, just say so in your repo’s SECURITY.md. But calling a DoS or the XSS issue "minor" without technical justification isn’t a great look, especially when researchers are trying to help.

We’re happy to discuss the details, but we also expect basic courtesy. Open-source thrives on collaboration, not shutting people down