CVE-2025-6107 is a vulnerability identified in version 0.3.40 of the ComfyUI software developed by comfyanonymous. The issue resides in the function set_attr within the /comfy/utils.py file, where the manipulation of dynamically-determined object attributes occurs. This vulnerability allows an attacker to influence object attributes dynamically, which can lead to unexpected behavior or potential security risks. The attack can be launched remotely, indicating that no local access is required to attempt exploitation. However, the complexity of the attack is rated as high, and the exploitability is considered difficult, meaning that a successful attack would require significant skill and effort. The vulnerability does not require any privileges or authentication but does require user interaction to trigger, as indicated by the CVSS vector. The CVSS 4.0 base score is 2.3, categorizing it as a low-severity issue. There is no known exploit currently observed in the wild, and the vendor has not responded to early disclosure attempts. The vulnerability impacts the confidentiality, integrity, and availability of the system only to a limited extent, with no scope change or privilege escalation involved. Given the nature of the vulnerability, it could potentially be used to cause minor disruptions or unexpected behavior in applications relying on ComfyUI 0.3.40, but it is unlikely to lead to severe system compromise or data breaches without additional vulnerabilities or conditions.

For European organizations using ComfyUI 0.3.40, the direct impact of this vulnerability is expected to be limited due to its low severity and high complexity of exploitation. The vulnerability could cause minor integrity issues or unexpected behavior in systems that rely on dynamic attribute manipulation within ComfyUI, potentially affecting workflows or automation processes that depend on this UI framework. Since exploitation requires user interaction, the risk of widespread automated attacks is low. However, organizations in sectors where ComfyUI is integrated into critical systems or where user interaction can be socially engineered (e.g., through phishing) should be cautious. The lack of vendor response and absence of patches means that affected organizations must rely on internal mitigations. The impact on confidentiality and availability is minimal, but integrity could be marginally affected if an attacker manages to manipulate object attributes in a way that alters application behavior. Overall, the threat does not pose a significant risk to European enterprises but should be monitored, especially in environments where ComfyUI is used in sensitive or operationally critical contexts.

Avoid using ComfyUI version 0.3.40; upgrade to a later version if available where this vulnerability is addressed. If upgrading is not immediately possible, restrict network exposure of systems running ComfyUI to trusted internal networks only, minimizing remote attack surface. Implement strict input validation and sanitization on any user inputs or data that interact with the set_attr function or dynamic attribute assignments within ComfyUI. Educate users about the risk of social engineering attacks that could trigger user interaction-based exploits, emphasizing cautious behavior with unsolicited UI prompts or inputs. Monitor application logs for unusual or unexpected attribute changes or errors related to dynamic attribute handling in ComfyUI. Consider deploying application-layer firewalls or runtime application self-protection (RASP) solutions that can detect and block anomalous dynamic attribute manipulations. Engage in active threat intelligence sharing within industry groups to stay informed about any emerging exploits or patches related to this vulnerability.