Open-Source Wikis

/

ComfyUI

/

Security

comfyanonymous/ComfyUI

Security

ComfyUI is designed for personal/local use first. Production-grade authentication and authorization are out of scope for the core; this page documents what protections exist and where the trust boundaries are.

Trust model

The default trust model is trusted operator on a trusted network:

  • Anyone who can reach the listening port can queue prompts.
  • Anyone who can queue prompts can run arbitrary node code (custom nodes are Python — they run with the same privileges as the server).
  • Anyone who can write files to models/, input/, or custom_nodes/ can introduce malicious code.

Production deployments must layer auth (typically a reverse proxy doing OAuth/SSO/HTTP basic) and isolate the process (container, dedicated user, no broad filesystem write) on top of the core.

Network defaults

  • Bind address. Default 127.0.0.1. --listen is required to expose to other hosts; passing --listen with no value binds to 0.0.0.0,:: (all interfaces).
  • Origin-only middleware. When listening on loopback, the middleware in server.py compares Host and Origin headers and drops requests where they disagree. This blocks the "random tab in your browser POSTs to localhost" attack.
  • Sec-Fetch-Site: cross-site requests are rejected with 403, regardless of bind address.
  • CSP. The block_external_middleware in server.py sets a Content-Security-Policy that restricts script/style/connect sources to 'self'.
  • CORS. Off by default. --enable-cors-header [ORIGIN] opts in; with no value it allows *. Don't enable on the public internet without thinking carefully.
  • TLS. --tls-keyfile + --tls-certfile enables HTTPS.

Custom nodes are arbitrary code

Anything in custom_nodes/<dir>/__init__.py or prestartup_script.py runs at server start. There is no sandboxing.

Mitigations the runtime offers:

  • --disable-all-custom-nodes skips loading entirely.
  • --whitelist-custom-nodes <name1> <name2> ... only loads listed packages.
  • ComfyUI-Manager (when enabled) runs security checks on managed installs.
  • hook_breaker_ac10a0.py restores core function references between prompts so a custom node can't permanently monkey-patch the runtime.

If you can't audit a custom node, don't install it.

File path handling

Routes that take user-supplied paths validate them against directory roots:

  • /view → checks directory_type is one of output, input, temp, then resolves under that root.
  • _collect_output_absolute_paths in main.py — example pattern: compute the absolute path, then verify it stays under the expected base directory before opening.
  • app/assets/services/path_utils.py does similar normalization on asset paths.

folder_paths.get_full_path resolves logical model names (checkpoints/foo.safetensors) into disk paths and rejects values that escape the registered directory list.

Sensitive data in prompts

API nodes accept user credentials (api_key_comfy_org) as a hidden input. The server treats these as sensitive:

  • SENSITIVE_EXTRA_DATA_KEYS = ("auth_token_comfy_org", "api_key_comfy_org") in execution.py.
  • _remove_sensitive_from_queue in server.py strips them when the queue is exposed via /queue.
  • The executor injects them back into extra_data only when the node actually runs.
  • The HTTP client logger (comfy_api_nodes/util/request_logger.py) logs URL/method/status but not request bodies or auth headers.

Telemetry

The runtime sets HF_HUB_DISABLE_TELEMETRY=1 and DO_NOT_TRACK=1 early in main.py so common ML libraries don't phone home. The frontend manager fetches GitHub releases when resolving --front-end-version; that's the one outbound call ComfyUI core makes by default.

--disable-api-nodes ensures even the API node packages cannot reach paid providers.

Database lockfile

The asset DB acquires an OS file lock on <db>.lock in app/database/db.py. This prevents concurrent processes from corrupting SQLite, not from interfering with each other in malicious ways. Running multiple ComfyUI processes for separate users on the same host requires distinct --database-url values.

File-format safety

  • safetensors is preferred over .ckpt because it can't deserialize Python objects.
  • comfy.utils.load_torch_file defends against pickle exploits with weights_only=True where supported.
  • The README explicitly mentions "Safe loading of ckpt, pt, pth, etc..." as a feature, but safetensors is still the right default.

Reporting issues

For security-sensitive issues, contact the maintainers privately rather than opening a public GitHub issue. The README and CONTRIBUTING.md point at the Discord and Matrix channels for triage. The Comfy-Org GitHub organization handles coordinated disclosure.

Where to start a change

  • New input from the network needs path / size / mime validation before being passed to filesystem or PyTorch APIs.
  • New sensitive key (e.g., another provider's auth) goes into SENSITIVE_EXTRA_DATA_KEYS in execution.py.
  • New middleware: add to server.py's middleware list. Consider whether the new behavior should depend on a CLI flag.
  • New external endpoint a node calls: confirm --disable-api-nodes correctly disables it. Use comfy_api_nodes/util/client.py so per-request logging is consistent.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Security – ComfyUI wiki | Factory