comfyanonymous/ComfyUI
Security
ComfyUI is designed for personal/local use first. Production-grade authentication and authorization are out of scope for the core; this page documents what protections exist and where the trust boundaries are.
Trust model
The default trust model is trusted operator on a trusted network:
- Anyone who can reach the listening port can queue prompts.
- Anyone who can queue prompts can run arbitrary node code (custom nodes are Python — they run with the same privileges as the server).
- Anyone who can write files to
models/,input/, orcustom_nodes/can introduce malicious code.
Production deployments must layer auth (typically a reverse proxy doing OAuth/SSO/HTTP basic) and isolate the process (container, dedicated user, no broad filesystem write) on top of the core.
Network defaults
- Bind address. Default
127.0.0.1.--listenis required to expose to other hosts; passing--listenwith no value binds to0.0.0.0,::(all interfaces). - Origin-only middleware. When listening on loopback, the middleware in
server.pycomparesHostandOriginheaders and drops requests where they disagree. This blocks the "random tab in your browser POSTs to localhost" attack. Sec-Fetch-Site: cross-siterequests are rejected with403, regardless of bind address.- CSP. The
block_external_middlewareinserver.pysets a Content-Security-Policy that restricts script/style/connect sources to'self'. - CORS. Off by default.
--enable-cors-header [ORIGIN]opts in; with no value it allows*. Don't enable on the public internet without thinking carefully. - TLS.
--tls-keyfile+--tls-certfileenables HTTPS.
Custom nodes are arbitrary code
Anything in custom_nodes/<dir>/__init__.py or prestartup_script.py runs at server start. There is no sandboxing.
Mitigations the runtime offers:
--disable-all-custom-nodesskips loading entirely.--whitelist-custom-nodes <name1> <name2> ...only loads listed packages.- ComfyUI-Manager (when enabled) runs security checks on managed installs.
hook_breaker_ac10a0.pyrestores core function references between prompts so a custom node can't permanently monkey-patch the runtime.
If you can't audit a custom node, don't install it.
File path handling
Routes that take user-supplied paths validate them against directory roots:
/view→ checksdirectory_typeis one ofoutput,input,temp, then resolves under that root._collect_output_absolute_pathsinmain.py— example pattern: compute the absolute path, then verify it stays under the expected base directory before opening.app/assets/services/path_utils.pydoes similar normalization on asset paths.
folder_paths.get_full_path resolves logical model names (checkpoints/foo.safetensors) into disk paths and rejects values that escape the registered directory list.
Sensitive data in prompts
API nodes accept user credentials (api_key_comfy_org) as a hidden input. The server treats these as sensitive:
SENSITIVE_EXTRA_DATA_KEYS = ("auth_token_comfy_org", "api_key_comfy_org")inexecution.py._remove_sensitive_from_queueinserver.pystrips them when the queue is exposed via/queue.- The executor injects them back into
extra_dataonly when the node actually runs. - The HTTP client logger (
comfy_api_nodes/util/request_logger.py) logs URL/method/status but not request bodies or auth headers.
Telemetry
The runtime sets HF_HUB_DISABLE_TELEMETRY=1 and DO_NOT_TRACK=1 early in main.py so common ML libraries don't phone home. The frontend manager fetches GitHub releases when resolving --front-end-version; that's the one outbound call ComfyUI core makes by default.
--disable-api-nodes ensures even the API node packages cannot reach paid providers.
Database lockfile
The asset DB acquires an OS file lock on <db>.lock in app/database/db.py. This prevents concurrent processes from corrupting SQLite, not from interfering with each other in malicious ways. Running multiple ComfyUI processes for separate users on the same host requires distinct --database-url values.
File-format safety
safetensorsis preferred over.ckptbecause it can't deserialize Python objects.comfy.utils.load_torch_filedefends againstpickleexploits withweights_only=Truewhere supported.- The README explicitly mentions "Safe loading of ckpt, pt, pth, etc..." as a feature, but
safetensorsis still the right default.
Reporting issues
For security-sensitive issues, contact the maintainers privately rather than opening a public GitHub issue. The README and CONTRIBUTING.md point at the Discord and Matrix channels for triage. The Comfy-Org GitHub organization handles coordinated disclosure.
Where to start a change
- New input from the network needs path / size / mime validation before being passed to filesystem or PyTorch APIs.
- New sensitive key (e.g., another provider's auth) goes into
SENSITIVE_EXTRA_DATA_KEYSinexecution.py. - New middleware: add to
server.py's middleware list. Consider whether the new behavior should depend on a CLI flag. - New external endpoint a node calls: confirm
--disable-api-nodescorrectly disables it. Usecomfy_api_nodes/util/client.pyso per-request logging is consistent.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.