cbcvebase.
CVE-2025-67303
published 2026-01-05

CVE-2025-67303: An issue in ComfyUI-Manager prior to version 3.38 allowed remote attackers to potentially manipulate its configuration and critical data. This was due to the…

PriorityP278high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.36%
68.3th percentile
An issue in ComfyUI-Manager prior to version 3.38 allowed remote attackers to potentially manipulate its configuration and critical data. This was due to the application storing its files in an insufficiently protected location that was accessible via the web interface

Affected

2 ranges
VendorProductVersion rangeFixed in
comfycomfyui-manager< 3.383.38
comfycomfyui-manager>= 0 < 3.383.38

Detection & IOCsextracted from sources · hover to see the quote

url/userdata/ComfyUI-Manager%2Fconfig.ini
path/userdata/ComfyUI-Manager%2Fconfig.ini
commandPOST /userdata/ComfyUI-Manager%2Fconfig.ini HTTP/1.1 Content-Type: application/octet-stream [default] security_level = weak
  • Detect exploitation attempts by monitoring HTTP GET/POST requests to the path /userdata/ComfyUI-Manager%2Fconfig.ini (URL-encoded path traversal separator). A 200 response to GET indicates the file is publicly accessible.
  • Detect configuration overwrite attempts by monitoring POST requests to /userdata/ComfyUI-Manager%2Fconfig.ini with Content-Type: application/octet-stream and body containing '[default]' and 'security_level = weak'.
  • Confirm successful exploitation by checking that a subsequent GET to /userdata/ComfyUI-Manager%2Fconfig.ini returns HTTP 200 with body containing 'security_level = weak'.
  • Use Shodan query http.title:"ComfyUI" to identify exposed ComfyUI instances potentially vulnerable to this CVE.
  • Vulnerable versions are ComfyUI-Manager prior to 3.38. Confirm version and check if /userdata/ directory is accessible without authentication.
  • ·The exploit requires web access to the ComfyUI instance. No authentication bypass is needed — the /userdata/ path is simply unprotected in versions prior to 3.38.
  • ·The vulnerability stems from storing sensitive files (e.g., config.ini) in a web-accessible location. The fix in v3.38 involves a userdata security migration, meaning detection rules targeting the old path may no longer apply post-patch.
  • ·The Nuclei template is marked 'intrusive' — the POST request actively overwrites config.ini with 'security_level = weak', which modifies the target system state during detection.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.