GHSA-95PQ-HR8P-F5G7
Vulnerability from github – Published: 2026-06-22 19:58 – Updated: 2026-06-22 19:58Impact
An Unprotected Alternate Channel (CWE-420) vulnerability was discovered in ComfyUI-Manager versions prior to 3.38.
Vulnerability Details
In affected versions, ComfyUI-Manager stored its configuration in the user/default/ComfyUI-Manager/ directory, which was accessible via ComfyUI's web APIs without proper access control. This unprotected alternate channel allowed remote attackers to read and manipulate configuration files and critical data through the web interface.
Potential Attack Scenarios
An attacker exploiting this vulnerability could: - Modify security settings: Lower the security level from "strong" to "weak" to enable more dangerous operations - Tamper with custom node sources: Add malicious custom node repositories - Manipulate snapshot data: Corrupt or alter system snapshots - Change manager behavior: Alter various manager configuration settings
Affected Configurations
| Configuration | Risk Level |
|---|---|
Systems running with --listen 0.0.0.0 (externally exposed) |
HIGH |
| Systems behind reverse proxy without proper access control | MEDIUM |
| Local-only installations (default, localhost only) | NOT AFFECTED |
Patches
This issue has been patched in ComfyUI-Manager version 3.38.
Requirements
| Component | Minimum Version | Notes |
|---|---|---|
| ComfyUI | v0.3.76+ | Required for System User Protection API |
| ComfyUI-Manager | v3.38+ | Contains the security fix |
What the Patch Does
- Path Migration: Configuration files moved from unprotected
user/default/ComfyUI-Manager/to protecteduser/__manager/ - Protected Directory: The new
__manager/directory leverages ComfyUI's System User Protection API, which blocks external web API access - Security Level Enforcement: Settings below "normal" are automatically raised to "normal" during migration
- Legacy Backup: Old data is backed up to
.legacy-manager-backup/with startup reminders until manually deleted - Fallback Protection: If ComfyUI < v0.3.76, Manager forces "strong" security mode, blocking new installations until ComfyUI is updated
Patch Details
- Commit:
aaed1dc - Pull Request: ComfyUI-Manager/#2338 ComfyUI/#10966
- Changes: +780 lines, −61 lines across 13 files
Workarounds
If immediate upgrade is not possible, apply the following mitigations:
| Mitigation | Effectiveness | Effort |
|---|---|---|
Remove --listen 0.0.0.0 flag (use localhost only) |
HIGH | Low |
| Implement firewall rules to block external access to ComfyUI ports | HIGH | Medium |
| Use reverse proxy with authentication (e.g., nginx + basic auth) | HIGH | Medium |
| Restrict network access to trusted IPs only | MEDIUM | Low |
Note: These are temporary mitigations. Upgrading to v3.38+ is strongly recommended.
Resources
- NVD - CVE-2025-67303
- ComfyUI-Manager v3.38 Security Migration Guide
- Patch Pull Request ComfyUI-Manager/#2338
- Patch Pull Request ComfyUI/#10966
Credit
This vulnerability was reported by Ricter Zheng (ricterzheng / 郑杜涛) from Tencent Xuanwu Lab ricterzheng@tencent.com
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "comfyui-manager"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.38"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-67303"
],
"database_specific": {
"cwe_ids": [
"CWE-420"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-22T19:58:24Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nAn **Unprotected Alternate Channel (CWE-420)** vulnerability was discovered in ComfyUI-Manager versions prior to 3.38.\n\n#### Vulnerability Details\n\nIn affected versions, ComfyUI-Manager stored its configuration in the `user/default/ComfyUI-Manager/` directory, which was accessible via ComfyUI\u0027s web APIs without proper access control. This unprotected alternate channel allowed remote attackers to read and manipulate configuration files and critical data through the web interface.\n\n#### Potential Attack Scenarios\n\nAn attacker exploiting this vulnerability could:\n- **Modify security settings**: Lower the security level from \"strong\" to \"weak\" to enable more dangerous operations\n- **Tamper with custom node sources**: Add malicious custom node repositories\n- **Manipulate snapshot data**: Corrupt or alter system snapshots\n- **Change manager behavior**: Alter various manager configuration settings\n\n#### Affected Configurations\n\n| Configuration | Risk Level |\n|---------------|------------|\n| Systems running with `--listen 0.0.0.0` (externally exposed) | **HIGH** |\n| Systems behind reverse proxy without proper access control | **MEDIUM** |\n| Local-only installations (default, localhost only) | **NOT AFFECTED** |\n\n---\n\n### Patches\n\nThis issue has been patched in **ComfyUI-Manager version 3.38**.\n\n#### Requirements\n\n| Component | Minimum Version | Notes |\n|-----------|-----------------|-------|\n| ComfyUI | v0.3.76+ | Required for System User Protection API |\n| ComfyUI-Manager | v3.38+ | Contains the security fix |\n\n#### What the Patch Does\n\n1. **Path Migration**: Configuration files moved from unprotected `user/default/ComfyUI-Manager/` to protected `user/__manager/`\n2. **Protected Directory**: The new `__manager/` directory leverages ComfyUI\u0027s System User Protection API, which blocks external web API access\n3. **Security Level Enforcement**: Settings below \"normal\" are automatically raised to \"normal\" during migration\n4. **Legacy Backup**: Old data is backed up to `.legacy-manager-backup/` with startup reminders until manually deleted\n5. **Fallback Protection**: If ComfyUI \u003c v0.3.76, Manager forces \"strong\" security mode, blocking new installations until ComfyUI is updated\n\n#### Patch Details\n\n- **Commit**: `aaed1dc`\n- **Pull Request**: [ComfyUI-Manager/#2338](https://github.com/Comfy-Org/ComfyUI-Manager/pull/2338) [ComfyUI/#10966](https://github.com/Comfy-Org/ComfyUI/pull/10966)\n- **Changes**: +780 lines, \u221261 lines across 13 files\n\n---\n\n### Workarounds\n\nIf immediate upgrade is not possible, apply the following mitigations:\n\n| Mitigation | Effectiveness | Effort |\n|------------|---------------|--------|\n| Remove `--listen 0.0.0.0` flag (use localhost only) | **HIGH** | Low |\n| Implement firewall rules to block external access to ComfyUI ports | **HIGH** | Medium |\n| Use reverse proxy with authentication (e.g., nginx + basic auth) | **HIGH** | Medium |\n| Restrict network access to trusted IPs only | **MEDIUM** | Low |\n\n**Note**: These are temporary mitigations. Upgrading to v3.38+ is strongly recommended.\n\n---\n\n### Resources\n\n- [NVD - CVE-2025-67303](https://nvd.nist.gov/vuln/detail/CVE-2025-67303)\n- [ComfyUI-Manager v3.38 Security Migration Guide](https://github.com/Comfy-Org/ComfyUI-Manager/blob/main/docs/en/v3.38-userdata-security-migration.md)\n- [Patch Pull Request ComfyUI-Manager/#2338](https://github.com/Comfy-Org/ComfyUI-Manager/pull/2338)\n - [Patch Pull Request ComfyUI/#10966](https://github.com/Comfy-Org/ComfyUI/pull/10966)\n\n---\n\n### Credit\n\nThis vulnerability was reported by **Ricter Zheng (ricterzheng / \u90d1\u675c\u6d9b)** from **Tencent Xuanwu Lab** \u003cricterzheng@tencent.com\u003e",
"id": "GHSA-95pq-hr8p-f5g7",
"modified": "2026-06-22T19:58:24Z",
"published": "2026-06-22T19:58:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Comfy-Org/ComfyUI-Manager/security/advisories/GHSA-95pq-hr8p-f5g7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67303"
},
{
"type": "WEB",
"url": "https://github.com/Comfy-Org/ComfyUI-Manager/pull/2338/commits/e44c5cef58fb4973670b86433b9d24d077b44a26"
},
{
"type": "PACKAGE",
"url": "https://github.com/Comfy-Org/ComfyUI-Manager"
},
{
"type": "WEB",
"url": "https://github.com/Comfy-Org/ComfyUI-Manager/blob/main/docs/en/v3.38-userdata-security-migration.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "ComfyUI-Manager has an Unprotected Alternate Channel (CWE-420)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.