Platform
python
Component
comfyanonymous/comfyui
Fixed in
0.3.41
CVE-2025-6107 is a vulnerability affecting ComfyUI versions 0.3.40 through 0.3.40. This issue involves the manipulation of dynamically-determined object attributes within the set_attr function located in /comfy/utils.py. A remote attacker could potentially exploit this flaw. A fix is available in version 0.3.41.
The vulnerability lies in the set_attr function, which allows for the dynamic setting of object attributes. An attacker could leverage this to modify the behavior of ComfyUI, potentially leading to arbitrary code execution or denial of service. While the complexity of the attack is considered high, the public disclosure of the exploit increases the risk of exploitation. The ability to launch the attack remotely expands the potential attack surface, making systems running vulnerable versions of ComfyUI susceptible to compromise.
This vulnerability was publicly disclosed on 2025-06-16. The vendor, comfyanonymous, was contacted but did not respond. The exploit's public availability and relatively high complexity suggest a moderate risk of exploitation. No KEV listing or EPSS score is currently available. The description indicates the exploit has been disclosed, increasing the likelihood of exploitation.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade ComfyUI to version 0.3.41 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing input validation on the attributes being set within the setattr function to restrict the values that can be assigned. While a direct WAF rule is unlikely, monitoring network traffic for unusual requests targeting /comfy/utils.py could provide early warning signs of exploitation attempts. After upgrading, confirm the fix by attempting to trigger the vulnerable setattr function with malicious input and verifying that it is properly handled.
Update to a patched version of comfyui that addresses the dynamically-determined object attribute manipulation vulnerability. If no version is available, consider applying a manual patch to the /comfy/utils.py file or disabling the affected functionality until an update is released.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-6107 is a vulnerability in ComfyUI versions 0.3.40–0.3.40 that allows attackers to manipulate object attributes, potentially leading to code execution or denial of service.
You are affected if you are running ComfyUI version 0.3.40. Upgrade to version 0.3.41 to mitigate the risk.
Upgrade ComfyUI to version 0.3.41 or later. If immediate upgrade is not possible, implement input validation on attribute settings.
The exploit has been publicly disclosed, increasing the likelihood of exploitation. Monitor your systems for suspicious activity.
Refer to the comfyanonymous GitHub repository for updates and advisories related to CVE-2025-6107.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.