ComfyUI-Manager: Unprotected Config Directory (CVE-2025-XXXX)

ComfyUI-Manager prior to 3.38 stored configuration in an unprotected directory accessible via web APIs, allowing remote attackers to read and manipulate configuration files and critical data. Patched in v3.38 by moving config to a protected directory and enforcing security levels.

Systems running ComfyUI-Manager < 3.38, especially those exposed externally via --listen 0.0.0.0 or behind a reverse proxy without proper access control.

Upgrade ComfyUI-Manager to v3.38+ and ensure ComfyUI is v0.3.76+. If immediate upgrade is not possible, remove --listen 0.0.0.0, implement firewall rules, or use a reverse proxy with authentication.