Listen to this Post
How CVE-2025-67303 Works
ComfyUI-Manager is the official extension manager for ComfyUI, an open-source, node-based interface for Stable Diffusion. In versions prior to 3.38, the extension stored its configuration, snapshots, and other critical data in the `user/default/ComfyUI-Manager/` directory.
The core of the vulnerability lies in how ComfyUI’s web API handles this directory. The path `user/default/` is exposed via the `/userdata` API endpoint without requiring any authentication. This creates an “unprotected alternate channel” (CWE-420). While the primary web interface might have some protections, this secondary channel for accessing configuration files is left completely open.
This exposure has severe implications when ComfyUI is configured to allow external access, typically using the `–listen 0.0.0.0` flag. An unauthenticated attacker on the network can directly read and, more critically, write to these configuration files via the web API. By manipulating these files, an attacker can alter security settings, add malicious custom node repositories from Git, or corrupt system snapshots. When the system is restarted, ComfyUI-Manager will automatically clone the attacker-specified repositories and execute any `install.py` script found within. This leads to unauthenticated Remote Code Execution (RCE) on the underlying server, granting the attacker full control of the system.
The vulnerability is scored with a CVSS v3.1 base score of 7.5 (High). The attack vector is network-based, requires low complexity, no privileges, and no user interaction. While it does not impact confidentiality, it has a High impact on integrity, allowing attackers to modify system data at will. This can be chained to achieve full system compromise.
DailyCVE Form
Platform: ComfyUI
Version: < v3.38
Vulnerability: CWE-420
Severity: High (7.5)
date: 2026-01-05
Prediction: 2026-01-11
What Undercode Say
The vulnerability stems from inadequate access control on the `/userdata` API endpoint. This allows unauthenticated attackers to interact with the `user/default/` directory, leading to a critical authentication bypass that can be exploited for Remote Code Execution.
Analytics & Bash Commands:
The primary indicator of exposure is the presence of the `–listen 0.0.0.0` flag in the ComfyUI startup command.
Check if ComfyUI is exposed to the network ps aux | grep "ComfyUI" | grep "listen" Test for vulnerable endpoint (requires network access to the target) curl -X GET http://<target-ip>:<port>/userdata/default/ComfyUI-Manager/config.ini
A successful response from this `curl` command confirms the system is vulnerable and its configuration can be read without authentication.
How Exploit:
An attacker can exploit this vulnerability by chaining the configuration manipulation with the manager’s snapshot restoration feature:
1. Read Configuration: First, the attacker uses the unprotected `/userdata` API to read the existing `config.ini` and understand the system’s setup.
2. Upload Malicious Snapshot: The attacker creates a malicious snapshot file. This file contains a URL pointing to a Git repository they control, which hosts a custom node with a malicious `install.py` script. They upload this snapshot via the web API.
3. Trigger Restoration: The attacker then triggers the snapshot restoration process through the web interface or API.
4. Code Execution: Upon the next restart of ComfyUI (which can be triggered by the attacker or naturally occurs), ComfyUI-Manager reads the poisoned snapshot, clones the attacker’s Git repository, and automatically executes the `install.py` script. This grants the attacker remote code execution on the server.
Proof of Concept (PoC) scripts are publicly available, including a Python script and a Nuclei template that can be used to test for this vulnerability.
Protection:
The primary and most effective protection is to upgrade to the patched versions.
Required Updates:
- ComfyUI: Upgrade to version v0.3.76+. This version includes the “System User Protection API” required for the fix to work.
- ComfyUI-Manager: Upgrade to version v3.38+.
What the Patch Does:
- Path Migration: Configuration files are moved from the unprotected `user/default/ComfyUI-Manager/` to the protected `user/__manager/` directory.
- Protected Directory: The new `__manager/` directory leverages ComfyUI’s System User Protection API, which blocks external web API access.
- Security Enforcement: Settings below “normal” are automatically raised to “normal” during migration.
- Legacy Backup: Old data is backed up to `.legacy-manager-backup/` with startup reminders until manually deleted.
- Fallback Protection: If ComfyUI is < v0.3.76, the Manager forces “strong” security mode, blocking new installations until ComfyUI is updated.
Temporary Workarounds (If Immediate Upgrade is Not Possible):
| Mitigation | Effectiveness | Effort |
| : | : | : |
| Remove `–listen 0.0.0.0` flag (use localhost only) | HIGH | Low |
| Implement firewall rules to block external access to ComfyUI ports | HIGH | Medium |
| Use reverse proxy with authentication (e.g., nginx + basic auth) | HIGH | Medium |
| Restrict network access to trusted IPs only | MEDIUM | Low |
Note: These are temporary mitigations. Upgrading to v3.38+ is strongly recommended.
Impact
Systems running with `–listen 0.0.0.0` (externally exposed) are at HIGH risk. An unauthenticated attacker can achieve Remote Code Execution (RCE) on the server, leading to a full system compromise. This could allow attackers to steal sensitive user data, private AI models, install malware, or use the compromised server for further attacks.
Systems behind a reverse proxy without proper access control are at MEDIUM risk. Local-only installations (default, localhost only) are NOT AFFECTED.
Credit: This vulnerability was reported by Ricter Zheng (ricterzheng / 郑杜涛) from Tencent Xuanwu Lab.
References:
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
