Defense-in-depth over GET→POST alone: reject the three CORS-safelisted
simple-form Content-Types (x-www-form-urlencoded, multipart/form-data,
text/plain) on 5 no-body POST handlers (snapshot/save,
manager/queue/{reset,start,update_comfyui}, manager/reboot) to block
<form method=POST> CSRF that bypasses method-only gating. Convert 10 pure
state-changing endpoints (fetch_updates, queue/{update_all,reset,start,
update_comfyui}, snapshot/{remove,restore,save}, comfyui_switch_version,
reboot) from GET to POST and split 5 config endpoints
(db_mode/preview_method/channel_url_list/policy/{component,update}) into
GET(read) + POST(write, JSON body). Emit the in_progress + done event pair
from the /manager/queue/install sync-enable fast-path so client UI
finalizes (previously only queue/start's empty worker done fired, leaving
item.restart unset and the Enable button visible after a successful enable).
Harden js/custom-nodes-manager.js completion path: await onQueueCompleted
with try/catch (surfaces silent turbogrid stale-item throws), replace the
{}.length == 0 no-op empty guard, set install_context before queue/install
to avoid a sync-completion race, wrap classList/updateCell in try/catch.
Resynchronize openapi.yaml with the converted routes (method → post, query
params → requestBody JSON schema, sibling post on 5 split endpoints).
Update 31 JS fetchApi call sites across 7 files; add
tests/test_csrf_content_type_helper.py covering 5 Content-Type cases via
aiohttp TestClient.
Reported-by: XlabAI Team of Tencent Xuanwu Lab
CVSS: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H)
Adds MVNT (https://github.com/mvnt-app/ComfyUI-MVNT) to the custom
node list. MVNT generates full-body dance motion from audio using a
diffusion model trained with 100+ professional choreographers.
Nodes: MVNT Generate Dance, MVNT Generate Character, MVNT Export Video,
MVNT Preview BVH, MVNT List Styles, MVNT Estimate Cost, MVNT Load Motion.
Published on Comfy Registry as comfyui-mvnt (publisher: mvnt).
Made-with: Cursor
Co-authored-by: Your Name <your.email@example.com>
- Add litellm==1.82.7 and litellm==1.82.8 to blacklist (PYSEC-2026-2)
- Add ultralytics==8.3.42 to blacklist
- Replace substring matching with exact version set matching
- Remove early break to detect multiple malicious packages
- ComfyUI-RIFE-TensorRT-Auto: Ultra fast frame interpolation with automatic TensorRT optimization
- ComfyUI-Upscaler-TensorRT-Auto: 2-4x faster image upscaling with TensorRT
- ComfyUI-HuggingFace: Advanced HuggingFace model downloader with search functionality
All nodes feature automatic installation, enhanced performance, and improved stability over original implementations.
