CVE-2025-67303

HIGH EXPLOITED NUCLEI

ComfyUI-Manager <3.38 - Info Disclosure

Title source: llm

Exploitation Summary

CVE-2025-67303 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 6 public exploits from researchers including jcaz2378, Remnant-DB, materaj2. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a minimal Python script that creates a file and a vague README mentioning CVE-2025-67303 without technical details or functional exploit code.

Description

An issue in ComfyUI-Manager prior to version 3.38 allowed remote attackers to potentially manipulate its configuration and critical data. This was due to the application storing its files in an insufficiently protected location that was accessible via the web interface

Exploits (6)

nomisec STUB

by jcaz2378 · poc

https://github.com/jcaz2378/ComfyUIrce

View Code ZIP pw:eip

The repository contains a minimal Python script that creates a file and a vague README mentioning CVE-2025-67303 without technical details or functional exploit code.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: ComfyUI (version unspecified)

No auth needed

Prerequisites: None specified

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed May 14, 2026 Full analysis →

nomisec WORKING POC

by Remnant-DB · poc

https://github.com/Remnant-DB/CVE-2025-67303

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2025-67303, demonstrating a command injection vulnerability in a simulated ComfyUI Manager service. The vulnerable endpoint `/run` reads and executes commands from a user-controlled configuration file, enabling remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: ComfyUI Manager (simulated) version 3.37-vulnerable

No auth needed

Prerequisites: Network access to the target service · Ability to write to the `/config` endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 08, 2026 Full analysis →

nomisec WORKING POC

by materaj2 · poc

https://github.com/materaj2/exploit_cve_2025_67303

View Code ZIP pw:eip

This repository contains a PoC exploit for CVE-2025-67303, targeting a command injection vulnerability in ComfyUI Manager. The exploit includes a web endpoint that executes arbitrary commands and an install script that starts a reverse shell via netcat.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: ComfyUI Manager (version not specified)

No auth needed

Prerequisites: Network access to the target · ComfyUI Manager with vulnerable endpoint exposed

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1059.004 - Unix Shell T1090 - Proxy

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec STUB

by ExploreUnknowed · poc

https://github.com/ExploreUnknowed/CVE-2025-67303

View Code ZIP pw:eip

The repository contains only a PowerShell script that pings a domain and a minimal README. No functional exploit code or details about the vulnerability are provided.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

Prerequisites: none

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec TROJAN

by maybe-O · poc

https://github.com/maybe-O/CVE-2025-67303

View Code ZIP pw:eip

The repository claims to be a PoC for CVE-2025-67303 but contains malicious code disguised as a legitimate AI enhancement node for ComfyUI. It executes a PowerShell reverse shell and a Python-based reverse shell during installation, with no clear relation to the stated vulnerability.

Classification

Trojan 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: ComfyUI (version unspecified)

No auth needed

Prerequisites: Victim must install the malicious package · Network connectivity to attacker-controlled IP

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1071 - Application Layer Protocol T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec STUB

by joker-xiaoyan · poc

https://github.com/joker-xiaoyan/CVE-2025-67303

View Code ZIP pw:eip

The repository contains a trivial PowerShell script that only launches the calculator. No exploit logic or vulnerability details are present.

Classification

Stub 10%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

ComfyUI-Manager < 3.38 - Configuration Overwrite

CRITICALVERIFIEDby maciejklimek

Shodan: http.title:"ComfyUI"

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://github.com/Comfy-Org/ComfyUI-Manager/blob/main/docs/en/v3.38-userdata-security-migration.md

View Exploit ZIP pw:eip

Patch

https://github.com/Comfy-Org/ComfyUI-Manager/pull/2338/commits/e44c5cef58fb4973670b86433b9d24d077b44a26

Scores

CVSS v3 7.5

EPSS 0.0088

EPSS Percentile 75.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2026-05-16

CWE

CWE-420

Status published

Products (1)

comfy/comfyui-manager < 3.38

Published Jan 05, 2026

Tracked Since Feb 18, 2026