| عنوان | fishaudio Bert-VITS2 <= 406b79a Path Traversal (CWE-22) |
|---|
| الوصف | # Technical Details
A Path Traversal vulnerability exists in the `generate_config()` function in `webui_preprocess.py` of Bert-VITS2.
The application fails to sanitize the user-provided data_dir parameter before passing it to os.path.join("./data", data_dir) and os.mkdir(), allowing traversal sequences (e.g., ../../../../tmp) to escape the intended ./data directory and create arbitrary directories and write config.json files with attacker-controlled content anywhere on the host filesystem.
# Vulnerable Code
File: webui_preprocess.py
Method: generate_config()
Why: The data_dir parameter received from the Gradio WebUI is concatenated with os.path.join("./data", data_dir) without applying os.path.realpath() or path prefix validation. The resulting path is used directly in os.mkdir() and open() to write a JSON config file, enabling directory creation and file write at arbitrary locations.
# Reproduction
1. Start the Bert-VITS2 webui_preprocess.py application (Gradio default port 7860).
2. Send a crafted Gradio predict request with a traversal payload:
curl -X POST http://127.0.0.1:7860/run/predict -H "Content-Type: application/json" -d '{"data": ["../../../../tmp", 1337], "fn_index": 0}'
3. Verify the config file was written outside the intended directory:
cat /tmp/configs/config.json | grep batch_size
# Output: "batch_size": 1337
# Impact
- Arbitrary directory creation anywhere the server process has write access
- Arbitrary JSON configuration file overwrite (attacker controls batch_size and other config values)
- Application configuration poisoning leading to misbehavior or Denial of Service
- Potential for further exploitation by overwriting config files relied upon by other services |
|---|
| المصدر | ⚠️ https://gist.github.com/YLChen-007/550cb92f3489c317ff049fc7d7ea6b99 |
|---|
| المستخدم | Eric-b (UID 96354) |
|---|
| ارسال | 23/04/2026 09:36 AM (1 شهر منذ) |
|---|
| الاعتدال | 16/05/2026 07:37 PM (23 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 364383 [fishaudio Bert-VITS2 حتى 8f7fbd8c4770965225d258db548da27dc8dd934c Gradio Interface webui_preprocess.py generate_config data_dir اجتياز الدليل] |
|---|
| النقاط | 20 |
|---|