ComfyUI-Manager is Vulnerable to CRLF Injection in Configuration Handler
GHSA-562r-8445-54r2 · CVE-2026-22777
Published · Modified
Description
Impact
Vulnerability Type: CRLF Injection via ConfigParser
An attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting tampering or modification of application behavior.
Affected Users: Users running ComfyUI-Manager in environments where ComfyUI is configured with the --listen option to allow remote access.
CVSS Score: 7.5 (High)
Patches
Fixed in the following versions:
- 3.39.2 (v3.x branch)
- 4.0.5 (v4.x branch)
Sanitization logic was added to the write_config() function to remove CRLF and NULL characters from all string values.
Workarounds
If upgrading is not possible:
- Run ComfyUI-Manager only on trusted networks
- Block external access via firewall
- Run on localhost only without the
--listenoption
References
Credit
This vulnerability was reported by:
- 李存义 xiaoheihei1107@gmail.com
- D0n9 Li wyd0n9@gmail.com
- Swings swing@mail.exp.sh
- Osword from SGLAB of Legendsec at Qi'anxin Group zhzhdoai@gmail.com
References
- WEB https://github.com/Comfy-Org/ComfyUI-Manager/security/advisories/GHSA-562r-8445-54r2
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-22777
- WEB https://github.com/Comfy-Org/ComfyUI-Manager/commit/ef8703a3d7ab4e6ecda8f96e0c5816c23d1cb262
- WEB https://github.com/Comfy-Org/ComfyUI-Manager/commit/f4fa394e0f03b013f1068c96cff168ad10bd0410
- PACKAGE https://github.com/Comfy-Org/ComfyUI-Manager
Ready to move
Start Securing
Free, no credit card | First findings in minutes