Enviar #811175: fishaudio Bert-VITS2 <= 406b79a Path Traversal (CWE-22)información

Títulofishaudio Bert-VITS2 <= 406b79a Path Traversal (CWE-22)
Descripción# Technical Details A Path Traversal vulnerability exists in the `generate_config()` function in `webui_preprocess.py` of Bert-VITS2. The application fails to sanitize the user-provided data_dir parameter before passing it to os.path.join("./data", data_dir) and os.mkdir(), allowing traversal sequences (e.g., ../../../../tmp) to escape the intended ./data directory and create arbitrary directories and write config.json files with attacker-controlled content anywhere on the host filesystem. # Vulnerable Code File: webui_preprocess.py Method: generate_config() Why: The data_dir parameter received from the Gradio WebUI is concatenated with os.path.join("./data", data_dir) without applying os.path.realpath() or path prefix validation. The resulting path is used directly in os.mkdir() and open() to write a JSON config file, enabling directory creation and file write at arbitrary locations. # Reproduction 1. Start the Bert-VITS2 webui_preprocess.py application (Gradio default port 7860). 2. Send a crafted Gradio predict request with a traversal payload: curl -X POST http://127.0.0.1:7860/run/predict -H "Content-Type: application/json" -d '{"data": ["../../../../tmp", 1337], "fn_index": 0}' 3. Verify the config file was written outside the intended directory: cat /tmp/configs/config.json | grep batch_size # Output: "batch_size": 1337 # Impact - Arbitrary directory creation anywhere the server process has write access - Arbitrary JSON configuration file overwrite (attacker controls batch_size and other config values) - Application configuration poisoning leading to misbehavior or Denial of Service - Potential for further exploitation by overwriting config files relied upon by other services
Fuente⚠️ https://gist.github.com/YLChen-007/550cb92f3489c317ff049fc7d7ea6b99
Usuario
 Eric-b (UID 96354)
Sumisión2026-04-23 09:36 (hace 1 mes)
Moderación2026-05-16 19:37 (23 days later)
EstadoAceptado
Entrada de VulDB364383 [fishaudio Bert-VITS2 hasta 8f7fbd8c4770965225d258db548da27dc8dd934c Gradio Interface webui_preprocess.py generate_config data_dir recorrido de directorios]
Puntos20

AnteriorVisión De ConjuntoPróximo

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!