Cyber Posture

CVE-2025-67303

HighPublic PoC

Published: 05 January 2026

Published
05 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0132 80.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-67303 is a high-severity Unprotected Alternate Channel (CWE-420) vulnerability in Comfy Comfyui-Manager. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-12 (Information Location).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for access to system resources like configuration files, directly preventing unauthorized web interface manipulation.

CM-12 Information Location good match
prevent

Requires identification and protection of critical information locations, such as configuration files stored in web-accessible directories.

CM-6 Configuration Settings good match
prevent

Mandates secure configuration settings for applications to restrict web interface access to sensitive file storage locations.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Direct remote unauthenticated file manipulation via exposed web-accessible storage in a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue in ComfyUI-Manager prior to version 3.38 allowed remote attackers to potentially manipulate its configuration and critical data. This was due to the application storing its files in an insufficiently protected location that was accessible via the web interface

Deeper analysisAI

CVE-2025-67303 is a vulnerability in ComfyUI-Manager prior to version 3.38, where the application stores its files in an insufficiently protected location accessible via the web interface. This flaw allows remote attackers to potentially manipulate configuration and critical data. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and is associated with CWE-420.

Remote unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation enables high integrity impact, permitting manipulation of the application's configuration and critical data, while confidentiality and availability remain unaffected.

Advisories recommend updating to ComfyUI-Manager version 3.38 or later for mitigation. Relevant guidance includes the userdata security migration documentation at https://github.com/Comfy-Org/ComfyUI-Manager/blob/main/docs/en/v3.38-userdata-security-migration.md and the fixing commit at https://github.com/Comfy-Org/ComfyUI-Manager/pull/2338/commits/e44c5cef58fb4973670b86433b9d24d077b44a26.

Details

CWE(s)
CWE-420

Affected Products

comfy
comfyui-manager
≤ 3.38

CVEs Like This One

CVE-2026-22777Same product: Comfy Comfyui-Manager
CVE-2026-40217Shared CWE-420
CVE-2025-54309Shared CWE-420
CVE-2025-13315Shared CWE-420
CVE-2025-41727Shared CWE-420

References