Skip to content
Verified reproduction

CVE-2025-67303: ComfyUI-Manager: Configuration File Exposure via Web-Accessible Path

CVE-2025-67303 is verified against ComfyUI-Manager · pip affected versions: < 3.38 fixed version: 3.38 This high reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00052.

REPRO-2026-00052 ComfyUI-Manager · pip Jan 8, 2026 CVE entry .txt
Severity HIGH
Confidence HIGH
Reproduced in 11m 32s
Tool calls 57
Affected < 3.38
Fixed in 3.38
$ pruva-verify REPRO-2026-00052
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00052/artifacts/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

An issue in ComfyUI-Manager prior to version 3.38 allowed remote attackers to potentially manipulate its configuration and critical data. This was due to the application storing its files in an insufficiently protected location that was accessible via the web interface

03 · Root cause
Prior to 3.38, ComfyUI-Manager stored its configuration/critical data in a location served by the ComfyUI web interface, enabling remote unauthenticated access and potential overwrite/manipulation via HTTP.
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.

No artifacts available