CVE-2026-22777
ComfyUI-Manager is Vulnerable to CRLF Injection in Configuration Handler
描述
## Impact **Vulnerability Type**: CRLF Injection via ConfigParser An attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the `config.ini` file. This can lead to security setting tampering or modification of application behavior. **Affected Users**: Users running ComfyUI-Manager in environments where ComfyUI is configured with the `--listen` option to allow remote access. **CVSS Score**: 7.5 (High) ## Patches Fixed in the following versions: - **3.39.2** (v3.x branch) - **4.0.5** (v4.x branch) Sanitization logic was added to the `write_config()` function to remove CRLF and NULL characters from all string values. ## Workarounds If upgrading is not possible: - Run ComfyUI-Manager only on trusted networks - Block external access via firewall - Run on localhost only without the `--listen` option ## References - [CWE-93: Improper Neutralization of CRLF Sequences](https://cwe.mitre.org/data/definitions/93.html) - [OWASP CRLF Injection](https://owasp.org/www-community/vulnerabilities/CRLF_Injection) ## Credit This vulnerability was reported by: - 李存义 <[email protected]> - D0n9 Li <[email protected]> - Swings <[email protected]> - Osword from SGLAB of Legendsec at Qi'anxin Group <[email protected]>
如何修補 CVE-2026-22777
要修補 CVE-2026-22777,請將受影響套件升級到下列已修補版本。
- —升級至 4.0.5 或更新版本
CVE-2026-22777 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 4.0.0, < 4.0.5