# ComfyUI — Path traversal in experimental model preview endpoint
STATUS: ALMOST_REPORT (needs investigation; do not submit)
readiness: NEEDS_INVESTIGATION
program: ComfyUI | platform: huntr | repo: comfyanonymous/ComfyUI | commit: 2026-02-13-scan

````
Repository URL: https://github.com/comfyanonymous/ComfyUI
Package Manager: pip
Version Affected: latest (observed in 2026-02-13 scan)
Vulnerability Type: Path Traversal
CVSS:
  Attack Vector: Network
  Attack Complexity: Low
  Privileges Required: None
  User Interaction: None
  Scope: Unchanged
  Confidentiality: Low
  Integrity: None
  Availability: Low
Title: /experiment/models/preview joins unsanitized filename path segments
Impact: Limited arbitrary image-file read from filesystem and possible information disclosure (private images, screenshots, model artifacts). Also potential noisy error/DoS behavior with invalid indices.
Description:

# Description

The route `/experiment/models/preview/{folder}/{path_index}/{filename:.*}` accepts `filename` using `{filename:.*}` and joins it directly with a server folder path:

```python
filename = request.match_info.get("filename", None)
full_filename = os.path.join(folder, filename)
previews = self.get_model_previews(full_filename)
```

No `abspath/commonpath` traversal check is performed before using the path.

Because preview logic glob-matches and opens images (`Image.open`), traversal is constrained to readable image files that can be re-encoded to WEBP, but still allows out-of-scope file access for image content.

# Proof of Concept

1. Identify valid `folder` and `path_index` values.
2. Request endpoint with traversal segments in `filename`.
3. If target path resolves to an existing image basename, endpoint returns that image as WEBP.

Example request:

```http
GET /experiment/models/preview/checkpoints/0/../../../../home/user/private/photo
```

Expected vulnerable behavior: image outside intended model folder can be opened and returned.

### Impact

Limited arbitrary image-file read from filesystem and possible information disclosure (private images, screenshots, model artifacts). Also potential noisy error/DoS behavior with invalid indices.

### Occurrences

```
Permalink: https://github.com/comfyanonymous/ComfyUI/blob/master/app/model_manager.py#L52-L63
Description: filename path component is joined without traversal validation in preview endpoint

Permalink: https://github.com/comfyanonymous/ComfyUI/blob/master/app/model_manager.py#L36-L49
Description: get_model_previews uses glob and Image.open on derived path basename
```

### References

```
URL: https://cwe.mitre.org/data/definitions/22.html
Name: CWE-22: Improper Limitation of a Pathname to a Restricted Directory

URL: https://owasp.org/www-community/attacks/Path_Traversal
Name: OWASP Path Traversal
```

Occurrences:
  Permalink: https://github.com/comfyanonymous/ComfyUI/blob/master/app/model_manager.py#L52-L63
  Description: filename path component is joined without traversal validation in preview endpoint
  Permalink: https://github.com/comfyanonymous/ComfyUI/blob/master/app/model_manager.py#L36-L49
  Description: get_model_previews uses glob and Image.open on derived path basename
References:
  URL: https://cwe.mitre.org/data/definitions/22.html
  Name: CWE-22: Improper Limitation of a Pathname to a Restricted Directory
  URL: https://owasp.org/www-community/attacks/Path_Traversal
  Name: OWASP Path Traversal
````