CVE-2025-67303 Scanner

ComfyUI-Manager is a software application used for managing user interfaces, primarily in environments requiring custom configuration and management of user data and settings. It is utilized by developers and IT managers to efficiently configure and maintain UI settings. The application is often integrated within larger systems to provide UI management capabilities and is valued for its customization and configurability. Firms with specialized user interface requirements often depend on ComfyUI-Manager for its flexibility and reliability. The product plays a critical role where detailed configuration of user interfaces is necessary, offering a streamline for development and deployment of user settings. As it handles configuration files, any vulnerability in its file management can have significant ramifications on the overall system security.

The Configuration Overwrite vulnerability in ComfyUI-Manager is primarily due to insecure file storage practices. The vulnerability allows remote attackers to access and manipulate configuration files stored in inadequate protected locations. Exploiting this vulnerability, attackers can alter configuration settings and potentially modify critical data. The nature of this vulnerability might let unauthorized entities impact the integrity and security of the application's configuration files. This flaw poses a significant risk as it can undermine the secure operation of ComfyUI-Manager by allowing unauthorized changes.

Technically, the vulnerability is exploited by making HTTP requests to access the 'config.ini' file stored within the application. The path '/userdata/ComfyUI-Manager%2Fconfig.ini' is manipulated to overwrite existing settings. The attacker can conduct GET and POST HTTP requests to retrieve and modify configuration parameters. Especially, the parameter 'security_level' in the configuration file can be reset or set to 'weak,' exposing the application to further threats. Ensuring the security controls over this file path and its parameters is crucial to mitigate this security flaw.

If exploited, the Configuration Overwrite vulnerability could lead to significant adverse effects, including unauthorized changes to security settings, potential exposure of sensitive data, and loss of application integrity. Attackers may gain the ability to alter system access controls, which could lead to system breaches. Organizations relying on ComfyUI-Manager might face operational challenges and data integrity issues if the configuration files are tampered with malicious intent. Moreover, failing to address such vulnerabilities may result in reputational damage and loss of trust among users.

REFERENCES

• https://github.com/Comfy-Org/ComfyUI-Manager/blob/main/docs/en/v3.38-userdata-security-migration.md
• https://github.com/vulhub/vulhub/blob/master/comfyui/CVE-2025-67303/README.md
• https://github.com/Comfy-Org/ComfyUI-Manager/blob/main/docs/en/v3.38-userdata-security-migration.md