Skip to content

[security] class pollution vulnerability#8435

Closed
superboy-zjc wants to merge 1 commit intoComfy-Org:masterfrom
superboy-zjc:master
Closed

[security] class pollution vulnerability#8435
superboy-zjc wants to merge 1 commit intoComfy-Org:masterfrom
superboy-zjc:master

Conversation

@superboy-zjc
Copy link

@superboy-zjc superboy-zjc changed the title [fix] class pollution vulnerability [security] class pollution vulnerability Jun 5, 2025
@Kosinkadink
Copy link
Member

Looks good, I will raise this to the team later today to try to get it merged quickly.

@Kosinkadink Kosinkadink self-requested a review June 6, 2025 08:52
@superboy-zjc
Copy link
Author

superboy-zjc commented Jun 6, 2025

HI @Kosinkadink Could the team also acknowledge the vulnerability report I sent via the security page? Thx!

comfyanonymous added a commit that referenced this pull request Jun 6, 2025
comfyanonymous added a commit that referenced this pull request Jun 6, 2025
@comfyanonymous
Copy link
Member

3b4b171

And can you please not report minor bugs as major security vulns. Bugs like this should be reported as a normal issue.

@superboy-zjc
Copy link
Author

3b4b171

And can you please not report minor bugs as major security vulns. Bugs like this should be reported as a normal issue.

Thanks for your response, but I think there’s a misunderstanding here.

  1. This isn’t a "minor bug". This is a documented and exploitable security weakness, according to CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes and OWASP Top 10 categories. It’s a security flaw that affects stability. If you don’t consider that a vulnerability, that’s your call, but most security standards (like CWE/OWASP) would disagree.

  2. You should know we’re not asking for money or credit. We reported this for free because we care about open-source security. A simple "thanks" or even just a constructive discussion would’ve been fine. Instead, the dismissive tone makes it seem like you don’t value outside contributions.

  3. If you don’t want security reports labeled as such, just say so in your repo’s SECURITY.md. But calling a DoS or the XSS issue "minor" without technical justification isn’t a great look, especially when researchers are trying to help.

We’re happy to discuss the details, but we also expect basic courtesy. Open-source thrives on collaboration, not shutting people down

adlerfaulkner pushed a commit to LucaLabsInc/ComfyUI that referenced this pull request Oct 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants