Headline
GHSA-562r-8445-54r2: ComfyUI-Manager is Vulnerable to CRLF Injection in Configuration Handler
Impact
Vulnerability Type: CRLF Injection via ConfigParser
An attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting tampering or modification of application behavior.
Affected Users: Users running ComfyUI-Manager in environments where ComfyUI is configured with the --listen option to allow remote access.
CVSS Score: 7.5 (High)
Patches
Fixed in the following versions:
- 3.39.2 (v3.x branch)
- 4.0.5 (v4.x branch)
Sanitization logic was added to the write_config() function to remove CRLF and NULL characters from all string values.
Workarounds
If upgrading is not possible:
- Run ComfyUI-Manager only on trusted networks
- Block external access via firewall
- Run on localhost only without the
--listenoption
References
Credit
This vulnerability was reported by:
- 李存义 xiaoheihei1107@gmail.com
- D0n9 Li wyd0n9@gmail.com
- Swings swing@mail.exp.sh
- Osword from SGLAB of Legendsec at Qi’anxin Group zhzhdoai@gmail.com
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2026-22777
ComfyUI-Manager is Vulnerable to CRLF Injection in Configuration Handler
Package
pip comfy-cli (pip)
Affected versions
>= 4.0.0, <= 4.0.4
< 3.39.2
Patched versions
4.0.5
3.39.2
Description
Published to the GitHub Advisory Database
Jan 13, 2026