{"repro_id":"REPRO-2026-00052","version":2,"title":"ComfyUI-Manager: Configuration File Exposure via Web-Accessible Path","repro_type":"security","status":"published","severity":"high","description":"An issue in ComfyUI-Manager prior to version 3.38 allowed remote attackers to potentially manipulate its configuration and critical data. This was due to the application storing its files in an insufficiently protected location that was accessible via the web interface","root_cause":"Prior to 3.38, ComfyUI-Manager stored its configuration/critical data in a location served by the ComfyUI web interface, enabling remote unauthenticated access and potential overwrite/manipulation via HTTP.","ghsa_id":"GHSA-2hc9-cc65-xwj8","cve_id":"CVE-2025-67303","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-67303","package":{"name":"ComfyUI-Manager","ecosystem":"pip","affected_versions":"< 3.38","fixed_version":"3.38"},"reproduced_at":"2026-01-08T08:39:52.829102+00:00","duration_secs":692.6565079689026,"tool_calls":57,"turns":2,"handoffs":1,"quality":{"idempotent_verified":false,"community_verifications":0},"key_moments":[{"agent":"repro","description":"The vulnerable ComfyUI repository was cloned to set up the reproduction environment.","index":11,"time":692653.7575721741,"title":"Cloned vulnerable repo","type":"env_setup"},{"agent":"repro","description":"The ComfyUI-Manager repository was cloned to obtain necessary management scripts and context.","index":12,"time":692653.7895202637,"title":"Cloned manager repo","type":"env_setup"},{"agent":"repro","description":"A reproduction shell script was written to automate the exploit or reproduction steps.","index":46,"time":692655.3173065186,"title":"Created reproduction script","type":"poc_created"},{"agent":"repro","description":"The reproduction script was executed to trigger the vulnerability.","index":48,"time":692655.4152965546,"title":"Executed reproduction script","type":"vuln_triggered"},{"agent":"repro","description":"Output files before and after the exploit were checked to confirm the vulnerability was successfully triggered.","index":53,"time":692655.5845737457,"title":"Verified exploit output","type":"confirmation"}],"published_at":"2026-01-08T08:40:04.083952+00:00","retracted":false,"artifacts":[{"path":"bundle/reproduction_steps.sh","filename":"reproduction_steps.sh","size":183,"category":"reproduction_script"},{"path":"bundle/repro/rca_report.md","filename":"rca_report.md","size":2430,"category":"analysis"},{"path":"bundle/repro/reproduction_steps.sh","filename":"reproduction_steps.sh","size":6396,"category":"reproduction_script"},{"path":"bundle/ticket.md","filename":"ticket.md","size":923,"category":"ticket"},{"path":"bundle/repro/logs/protected_config_current.ini","filename":"protected_config_current.ini","size":34,"category":"other"},{"path":"bundle/repro/logs/server.log","filename":"server.log","size":313,"category":"log"},{"path":"bundle/repro/logs/step3_get_after.txt","filename":"step3_get_after.txt","size":33,"category":"other"},{"path":"bundle/repro/logs/step1_get_before.txt","filename":"step1_get_before.txt","size":33,"category":"other"},{"path":"bundle/repro/logs/step2_post_response.json","filename":"step2_post_response.json","size":28,"category":"other"},{"path":"bundle/repro/logs/step4_get_protected.txt","filename":"step4_get_protected.txt","size":0,"category":"other"},{"path":"bundle/repro/logs/legacy_config_current.ini","filename":"legacy_config_current.ini","size":33,"category":"other"}]}