CVE-2025-67303
published 2026-01-05CVE-2025-67303: An issue in ComfyUI-Manager prior to version 3.38 allowed remote attackers to potentially manipulate its configuration and critical data. This was due to the…
PriorityP278high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.36%
68.3th percentile
An issue in ComfyUI-Manager prior to version 3.38 allowed remote attackers to potentially manipulate its configuration and critical data. This was due to the application storing its files in an insufficiently protected location that was accessible via the web interface
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| comfy | comfyui-manager | < 3.38 | 3.38 |
| comfy | comfyui-manager | >= 0 < 3.38 | 3.38 |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /userdata/ComfyUI-Manager%2Fconfig.ini HTTP/1.1
Content-Type: application/octet-stream
[default]
security_level = weak↗
- →Detect exploitation attempts by monitoring HTTP GET/POST requests to the path /userdata/ComfyUI-Manager%2Fconfig.ini (URL-encoded path traversal separator). A 200 response to GET indicates the file is publicly accessible. ↗
- →Detect configuration overwrite attempts by monitoring POST requests to /userdata/ComfyUI-Manager%2Fconfig.ini with Content-Type: application/octet-stream and body containing '[default]' and 'security_level = weak'. ↗
- →Confirm successful exploitation by checking that a subsequent GET to /userdata/ComfyUI-Manager%2Fconfig.ini returns HTTP 200 with body containing 'security_level = weak'. ↗
- →Use Shodan query http.title:"ComfyUI" to identify exposed ComfyUI instances potentially vulnerable to this CVE. ↗
- →Vulnerable versions are ComfyUI-Manager prior to 3.38. Confirm version and check if /userdata/ directory is accessible without authentication. ↗
- ·The exploit requires web access to the ComfyUI instance. No authentication bypass is needed — the /userdata/ path is simply unprotected in versions prior to 3.38. ↗
- ·The vulnerability stems from storing sensitive files (e.g., config.ini) in a web-accessible location. The fix in v3.38 involves a userdata security migration, meaning detection rules targeting the old path may no longer apply post-patch. ↗
- ·The Nuclei template is marked 'intrusive' — the POST request actively overwrites config.ini with 'security_level = weak', which modifies the target system state during detection. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
ComfyUI-Manager has an Unprotected Alternate Channel (CWE-420)
ghsa·2026-06-22
CVE-2025-67303 [HIGH] CWE-420 ComfyUI-Manager has an Unprotected Alternate Channel (CWE-420)
ComfyUI-Manager has an Unprotected Alternate Channel (CWE-420)
### Impact
An **Unprotected Alternate Channel (CWE-420)** vulnerability was discovered in ComfyUI-Manager versions prior to 3.38.
#### Vulnerability Details
In affected versions, ComfyUI-Manager stored its configuration in the `user/default/ComfyUI-Manager/` directory, which was accessible via ComfyUI's web APIs without proper access control. This unprotected alternate channel allowed remote attackers to read and manipulate configuration files and critical data through the web interface.
#### Potential Attack Scenarios
An attacker exploiting this vulnerability could:
- **Modify security settings**: Lower the security level from "strong" to "weak" to enable more dangerous operations
- **Tamper with custom node sources**: A
GHSA
GHSA-2hc9-cc65-xwj8: An issue in ComfyUI-Manager prior to version 3
ghsa_unreviewed·2026-01-05
CVE-2025-67303 [HIGH] CWE-420 GHSA-2hc9-cc65-xwj8: An issue in ComfyUI-Manager prior to version 3
An issue in ComfyUI-Manager prior to version 3.38 allowed remote attackers to potentially manipulate its configuration and critical data. This was due to the application storing its files in an insufficiently protected location that was accessible via the web interface
VulnCheck
comfy comfyui-manager Unprotected Alternate Channel
vulncheck·2025·CVSS 7.5
CVE-2025-67303 [HIGH] comfy comfyui-manager Unprotected Alternate Channel
comfy comfyui-manager Unprotected Alternate Channel
An issue in ComfyUI-Manager prior to version 3.38 allowed remote attackers to potentially manipulate its configuration and critical data. This was due to the application storing its files in an insufficiently protected location that was accessible via the web interface
Affected: comfy comfyui-manager
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2026-05-16&host_type=src&vulnerability=cve-2025-67303
No detection rules found.
Nuclei
ComfyUI-Manager < 3.38 - Configuration Overwrite
nuclei·CVSS 7.5
CVE-2025-67303 [HIGH] ComfyUI-Manager < 3.38 - Configuration Overwrite
ComfyUI-Manager < 3.38 - Configuration Overwrite
ComfyUI-Manager < 3.38 contains an insecure file storage vulnerability caused by storing files in an insufficiently protected location accessible via the web interface, letting remote attackers manipulate configuration and critical data, exploit requires web access.
Template:
id: CVE-2025-67303
info:
name: ComfyUI-Manager < 3.38 - Configuration Overwrite
author: maciejklimek
severity: critical
description: |
ComfyUI-Manager < 3.38 contains an insecure file storage vulnerability caused by storing files in an insufficiently protected location accessible via the web interface, letting remote attackers manipulate configuration and critical data, exploit requires web access.
impact: |
Remote attackers can manipulate configuration and critical
No writeups or analysis indexed.
2026-01-05
Published
Exploited in the wild