GHSA-562R-8445-54R2

Vulnerability from github – Published: 2026-01-13 19:02 – Updated: 2026-01-13 19:02
VLAI?
Summary
ComfyUI-Manager is Vulnerable to CRLF Injection in Configuration Handler
Details

Impact

Vulnerability Type: CRLF Injection via ConfigParser

An attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting tampering or modification of application behavior.

Affected Users: Users running ComfyUI-Manager in environments where ComfyUI is configured with the --listen option to allow remote access.

CVSS Score: 7.5 (High)

Patches

Fixed in the following versions: - 3.39.2 (v3.x branch) - 4.0.5 (v4.x branch)

Sanitization logic was added to the write_config() function to remove CRLF and NULL characters from all string values.

Workarounds

If upgrading is not possible: - Run ComfyUI-Manager only on trusted networks - Block external access via firewall - Run on localhost only without the --listen option

References

Credit

This vulnerability was reported by: - 李存义 xiaoheihei1107@gmail.com - D0n9 Li wyd0n9@gmail.com - Swings swing@mail.exp.sh - Osword from SGLAB of Legendsec at Qi'anxin Group zhzhdoai@gmail.com

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.0.4"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "comfy-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "comfy-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.39.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22777"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-13T19:02:52Z",
    "nvd_published_at": "2026-01-10T07:16:03Z",
    "severity": "HIGH"
  },
  "details": "## Impact\n\n**Vulnerability Type**: CRLF Injection via ConfigParser\n\nAn attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the `config.ini` file. This can lead to security setting tampering or modification of application behavior.\n\n**Affected Users**: Users running ComfyUI-Manager in environments where ComfyUI is configured with the `--listen` option to allow remote access.\n\n**CVSS Score**: 7.5 (High)\n\n## Patches\n\nFixed in the following versions:\n- **3.39.2** (v3.x branch)\n- **4.0.5** (v4.x branch)\n\nSanitization logic was added to the `write_config()` function to remove CRLF and NULL characters from all string values.\n\n## Workarounds\n\nIf upgrading is not possible:\n- Run ComfyUI-Manager only on trusted networks\n- Block external access via firewall\n- Run on localhost only without the `--listen` option\n\n## References\n\n- [CWE-93: Improper Neutralization of CRLF Sequences](https://cwe.mitre.org/data/definitions/93.html)\n- [OWASP CRLF Injection](https://owasp.org/www-community/vulnerabilities/CRLF_Injection)\n\n## Credit\n\nThis vulnerability was reported by:\n- \u674e\u5b58\u4e49 \u003cxiaoheihei1107@gmail.com\u003e\n- D0n9 Li \u003cwyd0n9@gmail.com\u003e\n- Swings \u003cswing@mail.exp.sh\u003e\n- Osword from SGLAB of Legendsec at Qi\u0027anxin Group \u003czhzhdoai@gmail.com\u003e",
  "id": "GHSA-562r-8445-54r2",
  "modified": "2026-01-13T19:02:52Z",
  "published": "2026-01-13T19:02:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Comfy-Org/ComfyUI-Manager/security/advisories/GHSA-562r-8445-54r2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22777"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Comfy-Org/ComfyUI-Manager/commit/ef8703a3d7ab4e6ecda8f96e0c5816c23d1cb262"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Comfy-Org/ComfyUI-Manager/commit/f4fa394e0f03b013f1068c96cff168ad10bd0410"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Comfy-Org/ComfyUI-Manager"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ComfyUI-Manager is Vulnerable to CRLF Injection in Configuration Handler"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.